wordpress plugin updraftplus vulnerablity
标签(空格分隔): 未分类
Vulnerability affects the latest version of the plug-in (1.13.15)
authenticated upload file and php code execution
file /wp-content/plugins/updraftplus/admin.php line 1843 function plupload_action
via the name parameter to set filename, and move file content into this file.
The server will do a basic verification of the file name, you can get a valid backup file name,just like backup_2017-11-29-1844_test_d6c634e49869-plugins.zip.
after the 39 lines, this file be delete
there are Race condition, when we view this pages before delete after write in. we can make php code execution.
PoC
file name just like:
backup_2017-11-29-1844_test_d6c634e49869-plugins
file content:
<?php
$f = fopen('../a.php','wb');
fwrite($f, '<?php phpinfo();?>');
fclose($f);
via upload this file, and view this pages before delete, we can write a a.php into /wp-content/a.php
(2017.11.29 Supplement Vulnerability Details)
authentiicated ssrf
file /wp-content/plugins/updraftplus/admin.php line 1233 function updraft_ajax_handler
when subaction='httpget'the curl parameter follow into function http_get,
they will use curl to request url, it can be exploited to conduct server-side request forgery (SSRF) attacks.
PoC
login and view website
http://127.0.0.1/wordpress4.8/wp-admin/options-general.php?page=updraftplus&tab=expert
use fetch(curl)









