About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

E-Learning Platforms Getting Schooled- 180

Checkpoint ResearchPosted 5 Years Ago
  • With the whole Covid-19 epidemic, learning online has became more popular than ever. So, Checkpoint decided to look into several Wordpress plugins that do just that.
  • Learnpress had two vulnerabilities: the ability to escalate from a student to a teacher (via a function, with no authentication, called learn_press_accept_become_a_teacher). Literally, just dead code that was found to be callable. The other vulnerability was a timing based SQLi. Very rarely do you see that the SQLi has to be timing based But, because only a single SQLi existed in the code base, this was the only way to extract data.
  • LearnDash was found to have an unauthenticated second-order SQLi. I have always found second-order SQLi interesting to spot because the input is not directly controllable. Checkpoint appears to just find the lack of prepared statements. Then, they followed the inputs until something that could be used to escape the query was found.
  • LifterLMS had a very unorthodox arbitrary file write vulnerability in it. There is a function called export_admin_table which exports the administrative table. This function takes in a file name but does not validate the file name!
  • Now, we can control the location of a file (and the file type) but not the content. By trial and error, it was discovered that a user can register for a course with PHP code inside of the username. Because this, we almost have code execution.
  • The final trick is that WordPress input filter mechanism does not allow for an opening and closing angle bracket. So, a trick had to be used in order to execute PHP code (which usually starts with < and ends with >). PHP is a very forgiving language; simply ending with a /* (beginning of a multi-line comment) would allow the PHP code to run. So, code execution :)
  • Overall, I love the Checkpoint Research articles. They have lots of details on the bug, the discovery of the bug and the grinding they have to do in order to exploit the bug.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed