header-logo
Suggest Exploit
vendor:
Users Ultra
by:
Panagiotis Vagenas
6,4
CVSS
MEDIUM
Blind SQL injection
89
CWE
Product Name: Users Ultra
Affected Version From: 1.5.50
Affected Version To: 1.5.50
Patch Exists: YES
Related CWE: N/A
CPE: a:usersultra:users_ultra:1.5.50
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress 4.3.1
2015

WordPress Users Ultra Plugin [Blind SQL injection]

One can perform an SQL injection attack simply by exploiting the following WP ajax actions: edit_video, delete_photo, delete_gallery, delete_video, reload_photos, edit_gallery, edit_gallery_confirm, edit_photo, edit_photo_confirm, edit_video_confirm, set_as_main_photo, sort_photo_list, sort_gallery_list, reload_videos. POST parameters that are exploitable in each action respectively: video_id, photo_id, gal_id, video_id, gal_id, gal_id, gal_id, photo_id, photo_id, video_id, photo_id, gal_id, order, order, video_id. In case #7 a user can also change the gallery name, description and visibility by setting POST parameters gal_name, gal_desc and gal_visibility respectively. In case #8 photo_id is first casted to integer and a query to DB is performed. If results are returned then for each result a new query is performed without casting the photo_id to integer. So if an attacker knows a valid video id then it can perform the attack in the second query. This achievable because <?php (int)'1 and sleep(5)' === 1; ?>. In case #9 a user can also change the photo name, description, tags and category by setting POST parameters photo_name, photo_desc, photo_tags and photo_category respectively. In case #10 a user can also change the video name, unique id and type by setting POST parameters video_name, video_unique_id and video_type respectively.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

* Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection]
* Discovery Date: 2015/10/19
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps

Description
========================================================================

One can perform an SQL injection attack simply by exploiting the following =
WP ajax actions:

1. `edit_video`
2. `delete_photo`
3. `delete_gallery`
4. `delete_video`
5. `reload_photos`
6. `edit_gallery`
7. `edit_gallery_confirm`
8. `edit_photo`
9. `edit_photo_confirm`
10. `edit_video_confirm`
11. `set_as_main_photo`
12. `sort_photo_list`
13. `sort_gallery_list`
14. `reload_videos`

POST parameters that are exploitable in each action respectively:

1. `video_id`
2. `photo_id`
3. `gal_id`
4. `video_id`
5. `gal_id`
6. `gal_id`
7. `gal_id`
8. `photo_id`
9. `photo_id`
10. `video_id`
11. `photo_id`, `gal_id`
12. `order`
13. `order`
14. `video_id`

In case #7 a user can also change the gallery name, description and visibil=
ity by setting POST parameters `gal_name`, `gal_desc` and `gal_visibility` =
respectively.

In case #8 `photo_id` is first casted to integer and a query to DB is perfo=
rmed. If results are returned then for each result a new query is performed=
 without casting the `photo_id` to integer. So if an attacker knows a valid=
 video id then it can perform the attack in the second query. This achievab=
le because `<?php (int)'1 and sleep(5)' === 1; ?>

In case #9 a user can also change the photo name, description, tags and cat=
egory by setting POST parameters `photo_name`, `photo_desc`, `photo_tags` a=
nd `photo_category` respectively.

In case #10 a user can also change the video name, unique id and type by se=
tting POST parameters `video_name`, `video_unique_id` and `video_type` resp=
ectively.

Because function wpdb::get_results() and wpdb::query() are in use here, onl=
y one SQL statement can be made per request. This holds severity of the att=
ack low.
In addition all actions are privileged so the user must have an active acco=
unt in vulnerable website, in order to perform the attack.


PoC
========================================================================

Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-aja=
x.php` with data: `action=edit_video&video_id=1 and sleep(5) `

Timeline
========================================================================

2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/12/08 - Vendor provided new version 1.5.63 which resolves issues

Solution
========================================================================

Upgrade to version 1.5.63

Navigation

Suggest Exploit

Services By CQR