WordPress SendIt plugin - exploit.company

vendor:

SendIt Plugin

by:

evilsocket

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: SendIt Plugin

Affected Version From: 1.5.2009

Affected Version To: 1.5.2009

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:sendit_plugin

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress SendIt plugin <= 1.5.9 Blind SQL Injection Vulnerability

The vulnerability exists due to insufficient validation of the 'lista' parameter in the '/wp-content/plugins/sendit/submit.php' script. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to bypass certain security restrictions, access, modify and delete data in the database, etc.

Mitigation:

Update to version 1.6.0 or later.

Source

Exploit-DB raw data:

# Exploit Title: WordPress SendIt plugin <= 1.5.9 Blind SQL Injection Vulnerability
# Google Dork: inurl:"wp-content/plugins/sendit/submit.php"
# Date: 2011-08-25
# Author: evilsocket ( evilsocket [at] gmail [dot] com )
# Software Link: http://wordpress.org/extend/plugins/sendit/
# Version: 1.5.9 (tested with magic quotes OFF)


---------------
Vulnerable code
---------------

[ submit.php line 27 ]

$user_count = $wpdb->get_var("SELECT COUNT(*) FROM $table_email where email ='$_POST[email_add]' and id_lista = '$_POST[lista]';");


As you can see, $_POST[lista] parameter is nor validated neither escaped, so you can blind sql inject it using $user_count for the 
boolean condition checking :


[ submit.php line 29 ]

if($user_count>0) :
  $errore_presente = "<div class=\"error\">".__('email address already present', 'sendit')."</div>";
  die($errore_presente);

---
PoC
---

POST:

email_add = some.random.regexp.valid.email@domain.ltd
lista = BLIND SQL INJECTION HERE

TO:

http://www.site.com/wp-content/plugins/sendit/submit.php