Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WordPress Multilingual Plugin (WPML) has 1 million active installations. It's a premium plugin that provides automatic language translation features.

Templates have became more popular in recent years. They are pre-built web pages with place holders in the code that take input for customization on the web page. The escaped templating code can also have logic like loops, if statements and much more in it though.

Wordpress has a feature called Shortcode Blocks that function similarly to templates. An example is adding an image to the page - it will handle all of the custom HTML formatting for you. In Wordpress, custom Shortcodes can be registered and then used in the program.

The WPML plulgin added three custom shortcodes: language switcher, selector widget and selector footer. The language switcher short code used a Twig template. with its content before it was evaluated.

Unfortunately, it appears that the input from the user was either being double evaluated resulting in template injection. Although the article shows the code, it does not discuss the reason for this vulnerability occurring or the fix for it, which is a bummer. With template injection, {{7 * 7}} will be evaluated as 49 when returned, which is how the author found it.

In Wordpress, all single and double quotes are escaped, which made exploitation difficult. They found that some functions could be called without parameters that returned strings. Then, they could use a string slicing method in order to get the character that they wanted from the function call. Using this, they were able to generate arbitrary strings for inputs to execute bash commands. A good and impactful bug!