Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload

2024-03-2500:00:00

Emad

everest backup plugin

admin+ role

file upload

.ebwp format

http request

content-disposition

code execution

exploit

AI Score

9.4

Confidence

High

EPSS

Percentile

9.0%

JSON

Description The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

1. Go to the plugin setting and in the "Restore" section upload the backup file by the "Select File" button(.ebwp format). Select an a file on your computer with the `.ebwp` extension. It must have some contents to pass the plugins validation check. As a PoC, add `<?php echo system($_GET['cmd']); ?>`
2. Capture the HTTP request and in "Content-Disposition:" change the file extension `.php`.
3. Check the response of the HTTP request and if the upload was successful the status code will be "200" and in the body, you can see the path of your file.
4. Open the file and run the code, i.e `cmd.php?cmd=ls` open the file and run your code. In this example, you will get a directory listing.