Today we will discuss poor development practices in wordpress plugins with key focus WordPress Plugin Membership Simplified v1.58 which as of the time of this writing the script is not patched . The vulnerable script is as below:
Meta data:
Discovery : Larry W Cashdollar
WPVDB ID : 8777
CVE-ID : CVE-2017-1002008
Dork
Standard stuff yes targets can be found on google using google dorks:
inurl:/wp-content/plugins/membership-simplified-for-oap-members-only
Issues
So here are some problems with the script above:
- The script does not check for valid logged in wordpress users; neither does it protect itself from direct access – This makes it arbitrarily (unrestricted) in terms of access
- Line 4 on the script allows anyone to invoke file downloads via the download_file parameter. Again anyone can invoke it directly on the script.
- Line 5 is a bad attempt at protecting one self from dot-dot-slash attacks.
- The rest of the script loads a content disposition for forcing download
Developing the payload
so assuming target example.com running the plugin ; we would initially consider exploiting it as:
http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=../../../wp-config.php
This however will result in the following URL.
http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=wp-config.php
as you can see this will give us a 404 because the wp-config file is not in the plugin folder. This happens because of line 5. As we said this is a bad attempt at protection so let’s beat the string replace and modify our attack abit.
http://example.com/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././wp-config.php
This is not the standard but what would result is the string replace function will delete for us the wrong bits before execution. It passes once across a string before passing it for download (Thank God for this). When the parts in red are deleted by the string replace function.
After this well its go go go . We move 3 directories up based on wordpress standard structure. We cannot stress enough on the kind of information contained in a wordpress configuration file, an attacker can model the threat further as below:
- Connect to the wordpress database instance using the database connection information in the configuration file
- Change user passwords in the database
- Login to the site and upload a web shell to achieve remote code execution on the site.
A simple exploit has been developed for this and works as below:
To understand how to develop such simple exploits from advisory information there is a writeup on Slideshare – Automation of web attacks from advisories to create real world exploits.
Exploit can be downloaded from:
I’m not a developer or scripter , I can’t make such an exploit …… well find out here how to add such an exploit to OWASP Mth3l3m3nt Framework with no code.