标题: WordPress SendIt plugin <= 1.5.9 Blind SQL Injection Vulnerability
关键字: inurl:"wp-content/plugins/sendit/submit.php"
作者: evilsocket ( evilsocket [at] gmail [dot] com ) www.2cto.com
下载地址: http://wordpress.org/extend/plugins/sendit/
已测试版本: 1.5.9 (tested with magic quotes OFF)
 
 
---------------
缺陷代码分析
---------------
 
[ submit.php line 27 ]
 
$user_count = $wpdb->get_var("SELECT COUNT(*) FROM $table_email where email ='$_POST[email_add]' and id_lista = '$_POST[lista]';");
 
 
你看, $_POST[lista] parameter is nor validated neither escaped, so you can blind sql inject it using $user_count for the
boolean condition checking :
 
 
[ submit.php line 29 ]
 
if($user_count>0) :
  $errore_presente = "<div class=\"error\">".__('email address already present', 'sendit')."</div>";
  die($errore_presente);
 
---
测试
---
 
POST:
 
email_add = some.random.regexp.valid.email@domain.ltd
lista = BLIND SQL INJECTION HERE
 
TO:
 
http://www.2cto.com /wp-content/plugins/sendit/submit.php
修复：严格过滤