Sirv 1.3.1 Plugin For WordPress

Homepage:

https://wordpress.org/plugins/sirv/

Descrição:

$_POST[ ‘id’ ] não trata a entrada de dados. sirv_get_row_by_id() é acessível por um usuário registrado.

File / Code:

add_action('wp_ajax_sirv_get_row_by_id', 'sirv_get_row_by_id');

function sirv_get_row_by_id(){

    if(!(is_array($_POST) && isset($_POST['row_id']) && defined('DOING_AJAX') && DOING_AJAX)){
        return;
    }

    global $wpdb;

    $table_name = $wpdb->prefix . 'sirv_shortcodes';

    $id = $_POST['row_id'];

    $row =  $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);

    $row['images'] = unserialize($row['images']);

    echo json_encode($row);

    //echo json_encode(unserialize($row['images']));


    wp_die();
}

Proof of Concept:

sqlinjectionsirv
1 – Login as regular user (created using wp-login.php?action=register):

2 – Send Post for:

target => http://target/wp-admin/admin-ajax.php

Post => urlsirvsqlinjection
 

Timeline:

  • 10/11/2016 – Descoberto
  • 10/11/2016 – Notificado

Leave a reply