SP Project & Document Manager <= 4.22 - Authenticated Shell Upload

Description

This issue is the bypass for https://wpscan.com/vulnerability/8f6e82d5-c0e9-468e-acb8-7cd549f6a45a. The author has limited to upload a file of 'x.pHp', but we can upload a file like '1.php.' .If the target is running on windows environment， it will save as '1.php'

Affects Plugins

sp-client-document-manager <= 4.22
https://wordpress.org/plugins/sp-client-document-manager/

Author

pang0lin@webray.com.cn inc

Condition

Windows environment

Proof of Concept

Create the SP Project & Document Manager page such as 'sp-document'
Upload a file and intercept the request.
Rename the dlg-upload-file[] parameter from '1.txt' with '1.php.' , it is very important the filename endswith 'php.' .
Visit your webshell http://xxx.com/wp-content/uploads/sp-client-document-manager/[user's uid]/1.php

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

wordpress_SP-Project_fileupload.md

wordpress_SP-Project_fileupload.md

SP Project & Document Manager <= 4.22 - Authenticated Shell Upload

Description

Affects Plugins

Author

Condition

Proof of Concept

Files

wordpress_SP-Project_fileupload.md

Latest commit

History

wordpress_SP-Project_fileupload.md

File metadata and controls

SP Project & Document Manager <= 4.22 - Authenticated Shell Upload

Description

Affects Plugins

Author

Condition

Proof of Concept