header-logo
Suggest Exploit
vendor:
Ultimate Product Catalogue
by:
Joaquin Ramirez Martinez
8,8
CVSS
HIGH
Arbitrary File Upload
434
CWE
Product Name: Ultimate Product Catalogue
Affected Version From: 3.8.6
Affected Version To: 3.8.6
Patch Exists: YES
Related CWE: N/A
CPE: a:etoilewebdesign:ultimate_product_catalogue
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Mozilla Firefox
2016

WordPress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)

An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below. The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.

Mitigation:

Ensure that the plugin is up to date and that all users have the least amount of privileges necessary to perform their tasks.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox. 
# Demo: https://youtu.be/FSRZlD3SVQc

====================
 DESCRIPTION
====================

An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote 
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.

===================
 STEPS TO REPRODUCE
===================

1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.

================
 Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.

function UPCP_Handle_File_Upload($Field_Name) {
	..		
	if (!is_user_logged_in()) {exit();}
		/* Make sure that the file exists */ 	 	
		elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
			$error = __('No file was uploaded here..', 'UPCP');
		}
		/* Move the file and store the URL to pass it onwards*/ 	 	
		else {				 
		 	  $msg .= $_FILES[$Field_Name]['name'];
			//for security reason, we force to remove all uploaded file
			$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
			//create the uploads directory if it doesn't exist
			if (!file_exists($target_path)) {
				  mkdir($target_path, 0777, true);
			}
			$target_path = $target_path . basename( $_FILES[$Field_Name]['name']); 
			if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
				//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
	 			  $error .= "There was an error uploading the file, please try again!";
			}
	...
}

?>

==========
 CREDITS
==========

Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
	joaquin.ramirez.mtz.lab[at]gmail[dot]com
	https://www.facebook.com/I0-security-lab-524954460988147/
	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q


==========
time-line
==========

2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure
===================================

Navigation

Suggest Exploit

Services By CQR