realty-workstation 1.0.6 WordPress plugin SQL injection

Vulnerability Metadata


Key Value
Date of Disclosure May 09 2022
Affected Software realty-workstation
Affected Software Type WordPress plugin
Version 1.0.6
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-1691
CVSS 3.x Base Score 4.9
CVSS 2.0 Base Score 4.0
Reporter Daniel Krohmer, Shi Chen
Reporter Contact daniel.krohmer@iese.fraunhofer.de
Link to Affected Software https://wordpress.org/plugins/realty-workstation
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-1691

Vulnerability Description


The trans_edit query parameter in realty-workstation 1.0.6 is vulnerable to SQL injection. An existing agent may abuse Edit functionality of the plugin to craft a malicious GET request.

Exploitation Guide


Login as admin user.

realty-workstation_step-1.png

Go to Realty Workstation and click on Agents.

realty-workstation_step-2.png

Add a new agent by clicking on Add New Agent.

realty-workstation_step-3.png

Provide arbitrary user information, then click on Save.

realty-workstation_step-4.png

Go to Realty Workstation and then hit Agent Transactions.

realty-workstation_step-5.png

Fill some arbitrary data and click on Save.

realty-workstation_step-6.png

As an unauthenticated user, visit the main blog page and go to the Workstation

realty-workstation_step-7.png

Sign in with the credentials of the previously created agent.

realty-workstation_step-8.png

Click on Edit in the agent view of the workstation.

realty-workstation_step-9.png

Clicking the previous button triggers the vulnerable request. trans_edit is the vulnerable query parameter.

realty-workstation_step-10.png

A POC may look like the following request:

realty-workstation_step-11.png

Important: The exploit works for both transactions=open_agent_transactions as well as transactions=open_transactions.

realty-workstation_step-12.png

In the code, the vulnerability is triggered by unsanitized user input of trans_edit at line 190 in ./public/template/agent-page.php. The final database query is called at line 30 in ./cn_package/includes/class-workstation-query.php.

realty-workstation_step-13.png

Exploit Payload


Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the request below.

GET /?page_id=286&transactions=open_transactions&trans_edit=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/?page_id=286&transactions=open_agent_transactions&trans_edit=1
Cookie: PHPSESSID=rmv93d526mhc8cvjf72hdaacrk; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651756511%7CcItznI8IWbEEnPDRsizkJZkrYojSFqzr2ySRUf1DEys%7C27bbb08bd6cc4106de1fd37daf991abff108f78ed51facd7e7d37c86c40b901a; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651583711
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin