Skip to content

Instantly share code, notes, and snippets.

@Shinkurt
Created July 25, 2017 14:37
Show Gist options
  • Save Shinkurt/157dbb3767c9489f3d754f79b183a890 to your computer and use it in GitHub Desktop.
Save Shinkurt/157dbb3767c9489f3d754f79b183a890 to your computer and use it in GitHub Desktop.
WP-Media: WP-Rocket
Details:
Using PHP Version: 5.6.1
Apache/ini Settings: unnecessary
Wp-Rocket Version: 2.9.3
1st. Vulnerability is a bypass for the issue patched. the patch is incomplete and can be bypassed.
The patch looks like: /inc/front/process.php
42: $host = str_replace( array( '..', chr(0) ), '', $host );
But poking around, I have found a bypass for that specific fix so the first vulnerability that was patched in 2015 is still producible.
The payload I used is: .%00.../.%00.../path/file/to/include
Because of the $00, the filter wouldn't find it but also since null is
an empty character it will create ../../ for us by sending .%00.../.%00.../
To test this, use the following PHP code:
$host = $_SERVER['HTTP_HOST'];
$host = str_replace( array( '..', chr(0) ), '', $host );
include $host;
and send .%00.../.%00.../path/file/to/include
and that file will be included, so the first patch is completely
incomplete and over 200k sites are using a vulnerable version ever
since.
2nd. Local File Inclusion in wp-rocket/min/config.php:
10: $host = $_SERVER['HTTP_HOST']; << SINK
11: $host = str_replace( array( '..', chr(0) ), '', $host );
12: $wp_rocket_config_file = dirname( dirname( dirname( dirname(
__FILE__ ) ) ) ) . '/wp-rocket-config/' . $host . '.php';
if ( file_exists( $wp_rocket_config_file ) && ! defined( 'ABSPATH' ) ) {
// Create fake ABSPATH
define( 'ABSPATH', null );
18: require( $wp_rocket_config_file ); << ISSUE
}
As you can see, the same issue that is found in process.php is
happening here, it is including $host (user controlled value) with
11th line being a patch which also is bypassable with my demo:
.%00.../.%00.../
The rest of the bugs are sent to Gregory about Imagify and he
validated and will issue a patch.
Fix should be easy:
$safe_files=array("test","config","includes","special");
if(in_array($file,$safe_files)){
require_once $file."/config.php";
}
Copy link

ghost commented Jul 17, 2018

Hi, can you do an example with a complete url?

@w9w
Copy link

w9w commented Oct 15, 2018

Full PoC please

@JohnTroony
Copy link

Hey, I don't understand your PoC. Do you mind explaining a bit more?

@keyurvala
Copy link

keyurvala commented Mar 12, 2020

Can you please Explain in Detail?

@Singh1Harjot
Copy link

Full PoC please

@whatsdd
Copy link

whatsdd commented Apr 22, 2022

Full POC please

@CyberWorld121220
Copy link

Hey, I don't understand your PoC. Do you mind explaining a bit more?

@dragonked2
Copy link

Full PoC
including Example url please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment