################################################################################################# # Exploit Title : WordPress Share-Buttons Plugins 4.9.9 Remote Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 22/12/2018 # Vendor Homepage : wordpress.org ~ sbuttons.ru # Software Download Link : atwebresults.com/php_ajax_image_upload/ + wordpress.org/plugins/tags/share-buttons/ + raw.githubusercontent.com/usaphp/plufit/master/wp-content/plugins/share-buttons/upload/index.php # Tested On : Windows and Linux # Category : WebApps # Version Information : V2.7 ~ V4.0 ~ V4.4.2 ~ V4.6.1 ~ V4.7.12 ~ V4.8.8 ~ V4.9.7 ~ V4.9.8 ~ V4.9.9 + Apache 2.4.10 ~ Apache 2.4.33 ~ Apache 2.4.35 ~ PHP 5.6.38 ~ OpenSSL 0.9.8e ~ UNIX OS ~ + jQuery 1.8.2 ~ Nginx 1.12.2 ~ Nginx 1.10.3 # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/plugins/share-buttons/'' + intext:''Sleeker More "Web 2.0" onChange Use'' /wp-content/plugins/share-buttons/ # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] + CWE-434- [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Admin Panel Login Path : /wp-login.php # Arbitrary File Upload/Remote Shell Upload Exploit : /wp-content/plugins/share-buttons/upload/index.php /wp-content/plugins/share-buttons/upload/scripts/ajaxupload.php Error : Error(s) Found: File Size Empty, # Directory File Path : /wp-content/plugins/share-buttons/upload/uploads/[FILENAMEHERE]_[RANDOM-NUMBERS].png # Note : .php;.gif ~ .asp;.png ~ .shtml.fla;.jpeg ################################################################################################# Vulnerable File Code : /upload/index.php ************************************ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <title>PHP AJAX Image Upload, Truly Web 2.0!</title> <link href="css/styles.css" rel="stylesheet" type="text/css" media="all" /> <!-- MAKE SURE TO REFERENCE THIS FILE! --> <script type="text/javascript" src="scripts/ajaxupload.js"></script> <!-- END REQUIRED JS FILES --> <!-- THIS CSS MAKES THE IFRAME NOT JUMP --> <style type="text/css"> iframe { display:none; } </style> <!-- THIS CSS MAKES THE IFRAME NOT JUMP --> </head> <body> <div id="container"> <!-- THIS IS THE IMPORTANT STUFF! --> <div id="demo_area"> <div id="left_col"> <!-- VERY IMPORTANT! Update the form elements below ajaxUpload fields: 1. form - the form to submit or the ID of a form (ex. this.form or standard_use) 2. url_action - url to submit the form. like 'action' parameter of forms. 3. id_element - element that will receive return of upload. 4. html_show_loading - Text (or image) that will be show while loading 5. html_error_http - Text (or image) that will be show if HTTP error. VARIABLE PASSED BY THE FORM: maximum allowed file size in bytes: maxSize = 9999999999 maximum image width in pixels: maxW = 100 maximum image height in pixels: maxH = 100 the full path to the image upload folder: fullPath = http://www.atwebresults.com/php_ajax_image_upload/uploads/ the relative path from scripts/ajaxupload.php -> uploads/ folder relPath = ../uploads/ The next 3 are for cunstom matte color of transparent images (gif,png), use RGB value colorR = 255 colorG = 255 colorB = 255 The form name of the file upload script filename = filename --> <fieldset> <legend>Sleeker More "Web 2.0" onChange Use</legend> <form action="index.php" method="post" name="sleeker" id="sleeker" enctype="multipart/form-data"> <input type="hidden" name="maxSize" value="9999999999" /> <input type="hidden" name="maxW" value="200" /> <input type="hidden" name="fullPath" value=" http://test-wordpress.kg/upload/uploads/" /> <input type="hidden" name="relPath" value="../uploads/" /> <input type="hidden" name="colorR" value="255" /> <input type="hidden" name="colorG" value="255" /> <input type="hidden" name="colorB" value="255" /> <input type="hidden" name="maxH" value="300" /> <input type="hidden" name="filename" value="filename" /> <p><input type="file" name="filename" onchange="ajaxUpload(this.form,'scripts/ajaxupload.php?filename=name&maxSize=9999999999&maxW=200&fullPath= http://test-wordprees.kg/upload/uploads/&relPath=../uploads/&colorR=255&colorG=255&colorB=255&maxH=300','upload_area','File Uploading Please Wait...<br /><img src=\'images/loader_light_blue.gif\' width=\'128\' height=\'15\' border=\'0\' />','<img src=\'images/error.gif\' width=\'16\' height=\'16\' border=\'0\' /> Error in Upload, check settings and path info in source code.'); return false;" /></p> </form> </fieldset> <br /><small style="font-weight: bold; font-style:italic;">Supported File Types: gif, jpg, png</small> </div> <div id="right_col"> <?php ?> <div id="upload_area"><img src="uploads/logo.png"> </div> </div> <div class="clear"> </div> </div> <!-- END IMPORTANT STUFF --> </body> </html> ################################################################################################# # Example Vulnerable Sites => [+] russia.starchildglobal.com/wp-content/plugins/share-buttons/upload/index.php [+] viatec.md/wp-content/plugins/share-buttons/upload/index.php [+] outfund.ru/wp-content/plugins/share-buttons/upload/index.php [+] cnho.ru/wp-content/plugins/share-buttons/upload/index.php [+] like-tv.tv/wp-content/plugins/share-buttons/upload/index.php [+] eparhia-tmb.ru/wp-content/plugins/share-buttons/upload/index.php [+] unost.org/wp-content/plugins/share-buttons/upload/index.php [+] hww.ru/wp/wp-content/plugins/share-buttons/upload/index.php [+] daode.com.ua/wp-content/plugins/share-buttons/upload/index.php [+] udacha.pro/wp-content/plugins/share-buttons/upload/index.php [+] brukioptom.com.ua/wp-content/plugins/share-buttons/upload/index.php [+] poddelki.net/wp-content/plugins/share-buttons/upload/index.php [+] spblago.ru/wp-content/plugins/share-buttons/upload/index.php ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################