Vulnerabilities > CVE-2007-2821 - SQL Injection vulnerability in Wordpress Admin-Ajax.PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter.
Vulnerable Configurations
Exploit-Db
| description | Wordpress 2.1.3 admin-ajax.php SQL Injection Blind Fishing Exploit. CVE-2007-2821. Webapps exploit for php platform |
| file | exploits/php/webapps/3960.php |
| id | EDB-ID:3960 |
| last seen | 2016-01-31 |
| modified | 2007-05-21 |
| platform | php |
| port | |
| published | 2007-05-21 |
| reporter | waraxe |
| source | https://www.exploit-db.com/download/3960/ |
| title | WordPress 2.1.3 - admin-ajax.php SQL Injection Blind Fishing Exploit |
| type | webapps |
Nessus
NASL family CGI abuses NASL id WORDPRESS_AJAX_REFERER_SQL_INJECTION.NASL description The version of WordPress on the remote host fails to properly sanitize input to the last seen 2020-06-01 modified 2020-06-02 plugin id 25291 published 2007-05-23 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25291 title WordPress check_ajax_referer() Function SQL Injection code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(25291); script_version("1.22"); script_cvs_date("Date: 2018/11/15 20:50:19"); script_cve_id("CVE-2007-2821"); script_bugtraq_id(24076); script_xref(name:"EDB-ID", value:"3960"); script_name(english:"WordPress check_ajax_referer() Function SQL Injection"); script_summary(english:"Attempts to generate a SQL error."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a PHP script that is prone to a SQL injection attack."); script_set_attribute(attribute:"description", value: "The version of WordPress on the remote host fails to properly sanitize input to the 'cookie' parameter of the 'wp-admin/admin-ajax.php' script before using it in the 'check_ajax_referer' function in database queries. Regardless of PHP's 'magic_quotes_gpc' setting, an unauthenticated, remote attacker can leverage this issue to launch SQL injection attacks against the affected application, including the discovery of password hashes of WordPress users."); script_set_attribute(attribute:"see_also", value:"http://www.waraxe.us/advisory-50.html"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2007/May/316"); script_set_attribute(attribute:"solution", value:"Upgrade to version 2.2.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/21"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/05/23"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("wordpress_detect.nasl"); script_require_keys("installed_sw/WordPress", "www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("url_func.inc"); include("install_func.inc"); app = "WordPress"; get_install_count(app_name:app, exit_if_zero:TRUE); port = get_http_port(default:80, php:TRUE); install = get_single_install( app_name : app, port : port ); dir = install['path']; install_url = build_url(port:port, qs:dir); # Try to exploit the flaw to generate a SQL error. exploit = "'" + SCRIPT_NAME; # nb: this works as long as the USER_COOKIE and PASS_COOKIE are # derived from COOKIEHASH / site url as in wp-settings.php. site = "http://" + get_host_name(); if (port != 80) site = site + ":" + port; if (strlen(dir)-1 == '/') dir = substr(dir, 0, strlen(dir)-2); site = site + dir; cookiehash = hexstr(MD5(site)); # nb: we need to encode (twice) the single quote. cookie = urlencode( str : exploit, unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_!~*()-]/" ); cookie = "wordpressuser_" + cookiehash + "=" + cookie + "; " + "wordpresspass_" + cookiehash + "=x"; u = dir + "/wp-admin/admin-ajax.php?cookie=" + urlencode(str:cookie); r = http_send_recv3(method: "GET", port:port, item: u, exit_on_fail: TRUE); # There's a problem if we see an error involving our exploit for the user name. if ("WordPress database error" >< r[2]) { res2 = str_replace(find:"'", replace:"'", string:r[2]); if (" WHERE user_login = '" + exploit + "'</code>" >< res2) { set_kb_item(name: 'www/'+port+'/SQLInjection', value: TRUE); security_hole(port); exit(0); } } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1502.NASL description Several remote vulnerabilities have been discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3238 Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. - CVE-2007-2821 SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. - CVE-2008-0193 Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. - CVE-2008-0194 Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. Wordpress is not present in the oldstable distribution (sarge). last seen 2020-06-01 modified 2020-06-02 plugin id 31146 published 2008-02-25 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31146 title Debian DSA-1502-1 : wordpress - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1502. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(31146); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-0193", "CVE-2008-0194"); script_xref(name:"DSA", value:"1502"); script_name(english:"Debian DSA-1502-1 : wordpress - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-3238 Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php. - CVE-2007-2821 SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. - CVE-2008-0193 Cross-site scripting (XSS) vulnerability in wp-db-backup.php in WordPress 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. - CVE-2008-0194 Directory traversal vulnerability in wp-db-backup.php in WordPress 2.0.3 and earlier allows remote attackers to read arbitrary files, delete arbitrary files, and cause a denial of service via a .. (dot dot) in the backup parameter in a wp-db-backup.php action to wp-admin/edit.php. Wordpress is not present in the oldstable distribution (sarge)." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3238" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-2821" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0193" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0194" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1502" ); script_set_attribute( attribute:"solution", value: "Upgrade the wordpress package. For the stable distribution (etch), these problems have been fixed in version 2.0.10-1etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(22, 79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/02/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/02/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"wordpress", reference:"2.0.10-1etch1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://osvdb.org/36311
- http://secunia.com/advisories/25345
- http://secunia.com/advisories/29014
- http://www.debian.org/security/2008/dsa-1502
- http://www.exploit-db.com/exploits/3960
- http://www.securityfocus.com/archive/1/469258/100/0/threaded
- http://www.securityfocus.com/bid/24076
- http://www.vupen.com/english/advisories/2007/1889
- http://www.waraxe.us/advisory-50.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34399