# Exploit Title: WordPress SendIt plugin <= 1.5.9 Blind SQL Injection Vulnerability # Google Dork: inurl:"wp-content/plugins/sendit/submit.php" # Date: 2011-08-25 # Author: evilsocket ( evilsocket [at] gmail [dot] com ) # Software Link: WordPress › Sendit « WordPress Plugins # Version: 1.5.9 (tested with magic quotes OFF) --------------- Vulnerable code --------------- [ submit.php line 27 ] $user_count = $wpdb->get_var("SELECT COUNT(*) FROM $table_email where email ='$_POST[email_add]' and id_lista = '$_POST[lista]';"); As you can see, $_POST[lista] parameter is nor validated neither escaped, so you can blind sql inject it using $user_count for the boolean condition checking : [ submit.php line 29 ] if($user_count>0) : $errore_presente = "<div class=\"error\">".__('email address already present', 'sendit')."</div>"; die($errore_presente); --- PoC --- POST: email_add = [email protected] lista = BLIND SQL INJECTION HERE TO: http://www.site.com/wp-content/plugins/sendit/submit.php sursa