WordPress Users Ultra Plugin 1.5.50 - Blind SQL 注入

2015-12-04T00:00:00
ID SSV:89998
Type seebug
Reporter Root
Modified 2015-12-04T00:00:00

Description

在users-ultra插件的xooclasses/xoo.userultra.photos.php文件中有如下代码:

``` public function edit_video_confirm () { global $wpdb, $xoouserultra;

    require_once(ABSPATH . 'wp-includes/formatting.php');


    $user_id = get_current_user_id();

    $video_id = $_POST["video_id"];         //video_id 直接从POST取值

    $video_name = sanitize_text_field($_POST["video_name"]);
    $video_unique_id = sanitize_text_field($_POST["video_unique_id"]);
    $video_type = sanitize_text_field($_POST["video_type"]);



    if($video_id!="")
    {
        $query = "UPDATE " . $wpdb->prefix ."usersultra_videos SET `video_name` = '$video_name', `video_unique_vid` = '$video_unique_id'  , `video_type` = '$video_type'  WHERE  `video_id` = '$video_id' AND `video_user_id` = '$user_id' ";    
        // where 子语句可以存在注入


        $wpdb->query( $query );

    }

    die();


}

```

该函数 可以清楚的看到post的数据中video_id未进行任何过滤即进入查询

``` 在js/expandible.js文件中有如下操作

        //edit video

    jQuery(document).on("click", "a[href='#resp_edit_video']", function(e) {

        e.preventDefault();


            var video_id =  jQuery(this).attr("data-id");

            jQuery.ajax({
                type: 'POST',
                url: ajaxurl,
                data: {"action": "edit_video", "video_id": video_id },

                success: function(data){


                    jQuery("#video-edit-div-"+video_id).html(data);                     
                    jQuery( "#video-edit-div-"+video_id ).slideDown();


                    }
            });

```

可以进行注入。