WordPress Plugin Membership Simplified v1.58 – Arbitrary File Download

Today we will discuss poor development practices in wordpress plugins with key focus WordPress Plugin Membership Simplified v1.58 which as of the time of this writing the script is not patched . The vulnerable script is as below:

WordPress Plugin Membership Simplified v1.58 vulnerable download script

Meta data:

Discovery : Larry W Cashdollar 

WPVDB ID : 8777

CVE-ID :  CVE-2017-1002008

Dork

Standard stuff yes targets can be found on google  using google dorks:

inurl:/wp-content/plugins/membership-simplified-for-oap-members-only

Finding Vulnerable Sites

Issues

So here are some problems with the script above:

  • The script does not check for valid logged in wordpress users; neither does it protect itself from direct access – This makes it arbitrarily (unrestricted) in terms of access
  • Line 4 on the script allows anyone to invoke file downloads via the download_file parameter. Again anyone can invoke it directly on the script.
  • Line 5 is a bad attempt at protecting one self from dot-dot-slash attacks.
  • The rest of the script loads a content disposition for forcing download

Developing the payload

so assuming target example.com running the plugin ; we would initially consider exploiting it as:

http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=../../../wp-config.php

This however will result in the following URL.

http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=wp-config.php

as you can see this will give us a 404 because the wp-config file is not in the plugin folder. This happens because of line 5. As we said this is a bad attempt at protection so let’s beat the string replace and modify our attack abit.

http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././wp-config.php

This is not the standard but what would result is the string replace function will delete for us the wrong bits before execution. It passes once across a string before passing it for download (Thank God for this). When the parts in red are deleted by the string replace function.

After this well its go go go . We move 3 directories up based on wordpress standard structure. We cannot stress enough on the kind of information contained in a wordpress configuration file, an attacker can model the threat further as below:

  • Connect to the wordpress database instance using the database connection information in the configuration file
  • Change user passwords in the database
  • Login to the site and upload a web shell to achieve remote code execution on the site.

A simple exploit has been developed for this and works as below:

Arbitrary File download exploit in WordPress Plugin Membership Simplified

To understand how to develop such simple exploits from advisory information there is a writeup on Slideshare – Automation of web attacks from advisories to create real world exploits.

Exploit can be downloaded from:

I’m not a developer or scripter , I can’t make such an exploit …… well find out here  how to add such an exploit to OWASP Mth3l3m3nt Framework with no code.

Leave a Reply

Your email address will not be published. Required fields are marked *