Title: Blind SQL Injection in wordpress plugin dukapress v2.5.9 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2015-08-04 |
[CVE-2015-1000011] |
Download Site: http://wordpress.org/plugins/dukapress/ |
Vendor: |
Vendor Notified: 2015-08-07 |
Vendor Contact: https://twitter.com/moshthepitt |
Advisory: http://www.vapidlabs.com/advisory.php?v=152http://www.vapidlabs.com/advisory.php?v=152 |
Description: DukaPress is open source software that can be used to build online shops quickly and easily. DukaPress is built on top of WordPress, a world class content management system. DukaPress is built to be both simple and elegant yet powerful and scalable. |
Vulnerability: The code in dukapress/download.php does not sanitize user input before passing via $_GET['id'] to query() allowing SQL to be injected. The user is not required to be logged into wordpress in order to exploit this vulnerability.
9:$sql = "SELECT saved_name, real_name, count, TIMESTAMPDIFF(SECOND,sent_time,NOW()) as time_diff FROM `{$table_name2}` WHERE saved_name='{$_GET['id']}'";
.
.
.
26: $wpdb->query("UPDATE {$table_name2} SET count={$download_count} WHERE saved_name='{$_GET['id']}'");
|
Export: JSON TEXT XML |
Exploit Code: |
Screen Shots: |
Notes: |