WA Form Builder 1.1- Sql Injection

Homepage:

https://wordpress.org/plugins/wa-form-builder/

Description:

Type user access: any user.

$_POST[ ‘wa_forms_Id’ ] is not escaped. WAFormBuilder_ui_output() is accessible for any user.

File / Code:

Path: /wp-content/plugins/wa-form-builder/main.php

Line: 779

global $wpdb;
          echo 'SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id'];
$form_attr = $wpdb->get_row('SELECT * FROM '.$wpdb->prefix.'wap_wa_form_builder WHERE Id = '.$_REQUEST['wa_forms_Id']);

$user_fields .= '<table width="100%" cellpadding="3" cellspacing="1" style="background:#e7e7e7; color:#666;">';
foreach($_POST as $key=>$val)
   {
   if(
   $key!='action' &&
   $key!='current_page' &&
   $key!='ajaxurl' &&
   $key!='page_id' &&
   $key!='wa_forms_Id' &&
   $key!='submit'
   )
      {
      $user_fields .= '<tr>';
         $user_fields .= '  <td bgcolor="#f2f2f2" width="20%">'.IZC_Functions::unformat_name(str_replace('dynamic_forms','',$key)).'</td>
                        <td bgcolor="#FFFFFF" >'.IZC_Functions::unformat_name($val).'</td>';
      $user_fields .= '</tr>';   
      $insert = $wpdb->insert($wpdb->prefix.'wap_wa_form_meta',
            array(
               'wa_form_builder_Id'=>$_REQUEST['wa_forms_Id'],
               'meta_key'=>$key,
               'meta_value'=>$val,
               'time_added' => mktime()
               )
          );
      }
   }

Proof of Concept:

1 – The url of target is url that have form. So will find form in system.

2 – Send Post for:

pluginwa1

Result:

pluginwa2

 

target => http://target/2016/11/21/PostWithformOfPlugin/

post  or get=>

pluginwa3

Timeline:

  • 28/11/2016 – Discovered
  • 28/11/2016 – Vendor not found

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top