Exploits / Vulnerability Discovered : 2018-04-09 |
Type : webapps |
Platform : php
This exploit / vulnerability Wordpress plugin simple fields 0.2 0.3.5 local/remote file inclusion / remote code execution is for educational purposes only and if it is used you will do on your own risk!
1. Description
Versions 0.2 to 0.3.5 of the Simple Fields WordPress plugin are vulnerable to local file inclusion if running on PHP <5.3.4. This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini.
PHP <5.3.4 is required because the exploit relies on the ability to inject a null byte to terminate a string before the script expects it to be and this was fixed in PHP 5.3.4
The vulnerability was fixed (commented out) in version 0.3.6 on 2011-02-03. Simple Fields is no longer actively developed, since 2016-02-27 (http://simple-fields.com/2016/bye-bye-simple-fields/)
The vulnerable line of code in simple_fields.php is:
require( $_GET["wp_abspath"] . './wp-blog-header.php' );
2. Proof of concept
LFI:
http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00