BBS e-Franchise 1.1.1 Plugin of WordPress – Sql Injection

Homepage:

BBS e-Franchise

Description:

Type of user: any user.
$_GET[‘uid’] is not escaped. Url is accessible for any user.

I will have find post or page that usage plugin, that use shortcode for example:

bbs-plugin-show

Url vulnerable : http://target/2016/09/26/ola-mundo-2/

File / Code:

File: /wp-content/plugins/bbs-e-franchise/lib/franchise.class.php

) );
   require_once($templatePath.'/list.php');
//보기
} else {
   $DATA  = $wpdb->get_row( "SELECT * FROM {$this->table_list} WHERE ( prefix='{$wpdb->prefix}' AND hide='N' ) AND uid = {$uid}" );
   $titleArray = array(

Proof of Concept:

bbs-plugin-query
bbs-plugin-result

Timeline:

  • 12/11/2016 – Discovered
  • 17/11/2016 – warned

Leave a Reply

Your email address will not be published. Required fields are marked *