Title: Multiple Unauthenticated blind SQL injections in Wordpress Plugin Membership Simplified v1.58 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-03-17 |
CVE-ID:[CVE-2017-1002009][CVE-2017-1002010] |
CWE: CWE-89 SQL Injection |
Download Site: http://membership.officeautopilot.com/get-it-now/ |
Vendor: http://membership.officeautopilot.com/ |
Vendor Notified: 2017-03-17 |
Vendor Contact: http://membership.officeautopilot.com/1-58-has-been-released-and-works-with-version-4-5-of-wordpress/#comment-484 |
Advisory: http://www.vapidlabs.com/advisory.php?v=188 |
Description: Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses. |
Vulnerability: The code in membership-simplified-for-oap-members-only/updateDB.php is vulnerable to blind SQL injection because it doesn't sanitize user input via any of the POST requests being passed into the SQL query. Also it doesn't check that a user is authorized to make updates to the database.
2 require_once("../../../wp-config.php");
3 global $wpdb;
4 $table_name = $wpdb->prefix . "download_listing";
5 $media_table_name = $wpdb->prefix . "media_listing";
6 $action = $_POST['action'];
7 $updateRecordsArray = $_POST['recordsArray'];
8 $mediaupdateRecordsArray = $_POST['mediaRecordsArray'];
CVE-2017-1002009:
I chose to test the SQL injection against the delete action as it was the most straightforward injection point.
34 if($action == 'delete') {
35 $upload_base_dir = wp_upload_dir();
36 $upload_dir = $upload_base_dir['basedir'];
37 $path= $upload_dir.'/membership-simplified-for-oap-members-only/';
38 $fileName = $wpdb->get_row("select fileName from $table_name where recordId= ".$_POST['recordId']."");
39 @unlink($path.$fileName->fileName);
40 $query= "delete from $table_name where recordId= '".$_POST['recordId']."' ";
41 $wpdb->query($query) or die('Error, insert query failed');
42
43 }
CVE-2017-1002010:
56 if($action == 'delete_media') {
57 $upload_base_dir = wp_upload_dir();
58 $upload_dir = $upload_base_dir['basedir'];
59 $path = $upload_dir.'/membership-simplified-for-oap-members-only/';
60 $fileName = $wpdb->get_row("select fileName from $media_table_name where recordId= ".$_POST['recordId']."");
61 //@unlink($path.$fileName->fileName);
62 $query= "delete from $media_table_name where recordId= '".$_POST['recordID']."' ";
65 $wpdb->query($query) or die($query); |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory