Skip to content
Branch: master
Find file History
Pull request Compare This branch is 2 commits ahead, 1 commit behind rm.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md

README.md

wordpress plugin updraftplus vulnerablity

标签(空格分隔): 未分类


Vulnerability affects the latest version of the plug-in (1.13.15)

authenticated upload file and php code execution

file /wp-content/plugins/updraftplus/admin.php line 1843 function plupload_action

via the name parameter to set filename, and move file content into this file.

The server will do a basic verification of the file name, you can get a valid backup file name,just like backup_2017-11-29-1844_test_d6c634e49869-plugins.zip.

image.png-72.3kB

after the 39 lines, this file be delete image.png-296.3kB

there are Race condition, when we view this pages before delete after write in. we can make php code execution.

PoC

file name just like:

backup_2017-11-29-1844_test_d6c634e49869-plugins

file content:

<?php
$f = fopen('../a.php','wb');
fwrite($f, '<?php phpinfo();?>');
fclose($f);

via upload this file, and view this pages before delete, we can write a a.php into /wp-content/a.php

(2017.11.29 Supplement Vulnerability Details) image.png-197.1kB

image.png-105.2kB

image.png-89.2kB

image.png-172.5kB

authentiicated ssrf

file /wp-content/plugins/updraftplus/admin.php line 1233 function updraft_ajax_handler

when subaction='httpget'the curl parameter follow into function http_get,

image.png-26.1kB

image.png-163.4kB

they will use curl to request url, it can be exploited to conduct server-side request forgery (SSRF) attacks.

PoC

login and view website

http://127.0.0.1/wordpress4.8/wp-admin/options-general.php?page=updraftplus&tab=expert

image.png-8.9kB

use fetch(curl)

image.png-20.9kB

You can’t perform that action at this time.