Buddypress xprofile custom fields type 2.6.3 remote code execution Vulnerability / Exploit

/ / /

Exploits / Vulnerability Discovered : 2018-04-09 | Type : webapps | Platform : php
This exploit / vulnerability Buddypress xprofile custom fields type 2.6.3 remote code execution is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE – Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Software Link:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.6.3
# Tested on: Ubuntu 16.1
#
#Article:
#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/
#
#Video:
#https://www.youtube.com/watch?v=By7kT7UbHVk
#

1 - Description
- Type user access: any user registered used in BuddyPress.
- $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
- $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.

2. Proof of Concept

Login as regular user.

1- Log in with BuddyPress User

2 - Access Edit Profile:

http://target/members/admin/profile/edit/

3 - Register data with image:

<http://target/wp-content/uploads/2018/01/buddypress-profile.png>4
- Change parameter to delete image in html and save profile:
<http://target/wp-content/uploads/2018/01/buddypress-profile2.png>
<http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png>

#--
#*Atenciosamente*
#
#*Lenon Leite*