WordPress Plugin Users Ultra 1.5.50 – Blind SQL Injection

• Exploit Database
• 111 阅读

• 作者： Panagiotis Vagenas
  日期： 2015-12-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/38855/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

  * Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection] * Discovery Date: 2015/10/19 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://usersultra.com * Software Link: https://wordpress.org/plugins/users-ultra/ * Version: 1.5.50 * Tested on: WordPress 4.3.1 * Category: webapps   Description ========================================================================   One can perform an SQL injection attack simply by exploiting the following = WP ajax actions:   1. <code>edit_video 2. <code>delete_photo 3. <code>delete_gallery 4. <code>delete_video 5. <code>reload_photos 6. <code>edit_gallery 7. <code>edit_gallery_confirm 8. <code>edit_photo 9. <code>edit_photo_confirm 10. <code>edit_video_confirm 11. <code>set_as_main_photo 12. <code>sort_photo_list 13. <code>sort_gallery_list 14. <code>reload_videos POST parameters that are exploitable in each action respectively:   1. <code>video_id 2. <code>photo_id 3. <code>gal_id 4. <code>video_id 5. <code>gal_id 6. <code>gal_id 7. <code>gal_id 8. <code>photo_id 9. <code>photo_id 10. <code>video_id 11. <code>photo_id</code>, <code>gal_id 12. <code>order 13. <code>order 14. <code>video_id In case #7 a user can also change the gallery name, description and visibil= ity by setting POST parameters <code>gal_name</code>, <code>gal_desc</code> and <code>gal_visibility</code> = respectively.   In case #8 <code>photo_id</code> is first casted to integer and a query to DB is perfo= rmed. If results are returned then for each result a new query is performed= without casting the <code>photo_id</code> to integer. So if an attacker knows a valid= video id then it can perform the attack in the second query. This achievab= le because <code><?php (int)&apos;1 and sleep(5)&apos; === 1; ?>   In case #9 a user can also change the photo name, description, tags and cat= egory by setting POST parameters </code>photo_name<code>, </code>photo_desc<code>, </code>photo_tags<code> a= nd </code>photo_category<code> respectively.   In case #10 a user can also change the video name, unique id and type by se= tting POST parameters </code>video_name<code>, </code>video_unique_id<code> and </code>video_type<code> resp= ectively.   Because function wpdb::get_results() and wpdb::query() are in use here, onl= y one SQL statement can be made per request. This holds severity of the att= ack low. In addition all actions are privileged so the user must have an active acco= unt in vulnerable website, in order to perform the attack.     PoC ========================================================================   Send a post request to </code>http://my.vulnerable.website.com/wp-admin/admin-aja= x.php<code> with data: </code>action=edit_video&video_id=1 and sleep(5) `   Timeline ========================================================================   2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email 2015/12/08 - Vendor provided new version 1.5.63 which resolves issues   Solution ========================================================================   Upgrade to version 1.5.63