Wordpress Plugin Hacking

From Security Weekly Wiki
Jump to navigationJump to search

Episode

This tech segment appeared on Security Weekly - Episode 304 for Thursday October 11th, 2012

Tech Segment

In this technical segment, we will look at Charlie Eriksen's research into Wordpress plugin security. By searching large amounts of code for code that is often insecurely written, it is possible to find a large amount of vulnerabilities in plugins running on thousands of Wordpress sites across the internet. The basic method involves searching for method calls that can have an undesirable side-effect or is often not properly understood by developers. While a simple search will give you 10s of thousands of results, it's possible to write regexes that will give you likely candidates for vulnerabilities. Even then, you will have to browse through a lot of code to find instances of these that are worth investigating further. One important thing to look for is a combination of a potentially dangerous method, and the presence of user input. At first, looking for these methods combined with the use of a $_POST/$_GET/$_REQUEST will give you very likely candidates for exploitation. But you can also write search patterns which searches for the methods below, with a reference to a request parameter in lines just previous to the function invocation. Some of the methods that are often insecurely used includes, based on what is most often incorrectly used: $wpdb->get_results $wpdb->get_var $wpdb->get_row file_get_contents include(_once) require(_once) eval/exec/shell_exec/system In the technical segment, we'll look at 4 vulnerable plugins, how we can tell that they're vulnerable, how to exploit them, and how to ensure that they can't be exploited:

http://ceriksen.com/2012/07/25/wordpress-flexi-quote-rotator-plugin-multiple-vulnerabilities/

http://ceriksen.com/2012/08/20/wordpress-zingiri-shop-sql-injection-vulnerabilities/

http://ceriksen.com/2012/05/23/wordpress-profile-builder-plugin-vertical-privilege-escalation/

http://ceriksen.com/2012/07/10/wordpress-symposium-plugin-multiple-sql-injection-vulnerabilities-2/

More information can be found on http://ceriksen.com, and you can follow Charlie @charlieeriksen.