WordPress WP-Syntax 0.9.1 Command Execution

Type packetstorm
Reporter Inj3ct0r
Modified 2009-08-15T00:00:00


Wordpress Plugin WP-Syntax <= 0.9.1 Remote Command Execution  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
WP-Syntax - This is the most popular plugin for wordpress to highlight  
the code. It is used on many sites, such as Stefan Esser uses it on his  
blog. For me this plugin is of interest, as found in his blog quite a  
large farm-partnerki. Following an analysis of source code, I found  
quite unusual vulnerability, therefore, decided to create a separate  
topic. Probably somebody have comments or thoughts about a more elegant  
WP-Syntax uses the library GeSHi, which implements all the functionality  
to review the syntax and appropriate for each language html-code. Having  
reviewed the main script plugin wp-syntax.php, I moved to the folder  
test, where the 2 scripts: index.php and code.php. Code.php contains  
code examples for different languages, and leads them to the index.php  
illumination to demonstrate the capacity of the plug-in. Index.php  
inkludit wp-syntax.php, which in turn connects geshi.php. According to  
the developer wp-syntax.php can be called only in the context of WP,  
while the test / index.php can be run independently of the platform, the  
author decided to use samopalnoe WP likeness of a mechanism to implement  
the callback-function. Who is familiar with the internal device, WP, or  
at least see part of the code can understand what I am talking about  
functions add_action (), do_action (), apply_filters (), etc.  
Self-f-tion apply_filters as follows:  
PHP code:  
function apply_filters($tag, $string)   
global $test_filter;   
if (!isset($test_filter[$tag])) return $string;   
uksort($test_filter[$tag], "strnatcasecmp");   
foreach ($test_filter[$tag] as $priority => $functions)   
if (is_null($functions)) continue;   
foreach($functions as $function)   
$string = call_user_func_array($function, array($string));   
return $string;   
Global array test_filter there has not previously initialized, so you  
can add to the random elements, with register_globals = on and then  
execute any function using call_user_func_array. In WP there is a  
special t-tion - unregister_globals, protects against these  
vulnerabilities, but another case - the script works outside the context  
of WP.  
apply_filters called in several places, one of them:  
<title>WP-Syntax Test Page</title>   
<link rel="stylesheet" href="../wp-syntax.css" type="text/css" media="screen" />   
/* ... */   
function test_head()   
echo apply_filters("wp_head", "");   
As we can see the complexity of the case is that you can not function  
with arbitrary arguments - will be transferred to an empty argument of  
type string. At first glance it seemed to me that even banal phpinfo ()  
will not be able to perform because it only takes an argument of type  
integer, or there is an error of level E_WARNING. However vniknuv the  
logic of the F-apply_filters is clear that the argument for change  
call_user_func_array () can be, because it runs in a loop and assigns  
the result of his argument for the next callback-function. In other  
words by means of a chain composed of functions could be to receive and  
transmit the -1 value in phpinfo (-1 = INFO_ALL). Then I started  
remembering all the functions of PHP, which could help me in this  
situation. As it turned out many of the functions do not take arguments,  
causing the error, if they give a blank value. Nevertheless, I need the  
sequence of function calls was found:  
First call the function pi (), returns the value of pi. Oddly, this  
feature, despite the lack of arguments, it is an error "Wrong parameter  
count for". Then comes the call to the function cos (), which is passed  
the value of pi. As you know, cos (pi) = -1, so in the phpinfo ()  
reaches the desired value and output data.  
It seemed no longer to achieve, but I continue to seek ways to perform  
arbitrary commands. It was necessary to find a function that returns  
would be needed for my data. These data could be obtained from the  
environment, but do not reach appropriate functions. However, the way  
all the same was found =)  
PHP code:  
echo session_id();   
echo session_id("");   
echo session_id();   
It was found that the session_id returns last ID, despite the fact that  
the function was transferred to the parameter. I do not know this bug or  
not, but at the docks on that occasion said nothing. As a result, the  
final query looks as follows:  
F-tion session_id () can return a value as the current session ID, and  
install it, if there was any argument. I obviously need to get value,  
but how to deal with an empty parameter, which is constantly being  
passed? I decided to check the return value of this script:  
GET /wp/2.7/wp-content/plugins/wp-syntax/test/index.php?test_filter[wp_head][99][0]=session_start&test_filter[wp_head][99][1]=session_id&test_filter[wp_head][99][2]=system HTTP/1.0  
Host: localhost  
Cookie: PHPSESSID=dir  
Connection: close  
# ~ - [ [ : Inj3ct0r : ] ]