-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection] * Discovery Date: 2015/10/19 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://usersultra.com * Software Link: https://wordpress.org/plugins/users-ultra/ * Version: 1.5.50 * Tested on: WordPress 4.3.1 * Category: webapps Description ================================================================================ One can perform an SQL injection attack simply by exploiting the following WP ajax actions: 1. `edit_video` 2. `delete_photo` 3. `delete_gallery` 4. `delete_video` 5. `reload_photos` 6. `edit_gallery` 7. `edit_gallery_confirm` 8. `edit_photo` 9. `edit_photo_confirm` 10. `edit_video_confirm` 11. `set_as_main_photo` 12. `sort_photo_list` 13. `sort_gallery_list` 14. `reload_videos` POST parameters that are exploitable in each action respectively: 1. `video_id` 2. `photo_id` 3. `gal_id` 4. `video_id` 5. `gal_id` 6. `gal_id` 7. `gal_id` 8. `photo_id` 9. `photo_id` 10. `video_id` 11. `photo_id`, `gal_id` 12. `order` 13. `order` 14. `video_id` In case #7 a user can also change the gallery name, description and visibility by setting POST parameters `gal_name`, `gal_desc` and `gal_visibility` respectively. In case #8 `photo_id` is first casted to integer and a query to DB is performed. If results are returned then for each result a new query is performed without casting the `photo_id` to integer. So if an attacker knows a valid video id then it can perform the attack in the second query. This achievable because `<?php (int)'1 and sleep(5)' === 1; ?> In case #9 a user can also change the photo name, description, tags and category by setting POST parameters `photo_name`, `photo_desc`, `photo_tags` and `photo_category` respectively. In case #10 a user can also change the video name, unique id and type by setting POST parameters `video_name`, `video_unique_id` and `video_type` respectively. Because function wpdb::get_results() and wpdb::query() are in use here, only one SQL statement can be made per request. This holds severity of the attack low. In addition all actions are privileged so the user must have an active account in vulnerable website, in order to perform the attack. PoC ================================================================================ Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=edit_video&video_id=1 and sleep(5) ` Timeline ================================================================================ 2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email 2015/12/08 - Vendor provided new version 1.5.63 which resolves issues Solution ================================================================================ Upgrade to version 1.5.63 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWZ2ZhAAoJEBe10gGXVLphzFUP/3CkzkaF9sQgl3hZo2QaWzsu kq43dBtVDQZjBQp5Qs2JqFYO7yc9FWRSZyD38CrWWtCwqK8DlMFxZYoAqwt45lEx lYxiOUCO98BXeAUXy/DeS+gY2dgnt0FvC0SKpN59OS95Nn6EBaCcKCczavn46zxm rPGr7GzORO7wqObgL16Rew98hmVsf+nYwFNvMBfq7NQIZQzD065S7dQKt33PNjey u4/I3HFW7tKljVdait+LObfvLTA/TAxeFDRQhM5uRN2UGBBU5AWHwZK4JeayEaw4 i3MJPe6ZggXn3BMdrBzuySvMWuX8cEwMzJW9dKzwOz+97iZYiS5UFGH3PbT2VV0Y It/uFdnqn6Z+f7rLRQdYpHImivkRirX6YgJ9gbT7ZqTJwrF2cTGykl8qkcddkSwU Tt517YGXrw/8fgzRRH0/sRoK2JFq/V+pr6ksOEi/ppKdQrQaz+Kuy4lUglgN7NtC Vlyma9GQnkPl5IAbCT18dNv8p6PcR4zcU0bKZufW2bfnEoaXVsL1vjjZ9oz9xAwX q6i/4cGKsG7KwcSBqUNOw3SAXJjqBJhHQHrTw2TIb3bHLUh8/fGvCqQsRhfPUAf0 uAkfBQ5fXjtaKQcXif2LwjSgsaVhaiJY4Fp946mPn7E32jEswdcKrpaBA9WoPGgG OJG27/ImQ9GJuXQV/uFW =Fpqd -----END PGP SIGNATURE-----
