Sirv 1.3.1 Plugin For WordPress

Homepage:

https://wordpress.org/plugins/sirv/

Description:

$_POST[ ‘id’ ] is not escaped. sirv_get_row_by_id() is accessible for every registered user.

File / Code:

add_action('wp_ajax_sirv_get_row_by_id', 'sirv_get_row_by_id');

function sirv_get_row_by_id(){

    if(!(is_array($_POST) && isset($_POST['row_id']) && defined('DOING_AJAX') && DOING_AJAX)){
        return;
    }

    global $wpdb;

    $table_name = $wpdb->prefix . 'sirv_shortcodes';

    $id = $_POST['row_id'];

    $row =  $wpdb->get_row("SELECT * FROM $table_name WHERE id = $id", ARRAY_A);

    $row['images'] = unserialize($row['images']);

    echo json_encode($row);

    //echo json_encode(unserialize($row['images']));


    wp_die();
}

Proof of Concept:

sqlinjectionsirv

1 – Login as regular user (created using wp-login.php?action=register):

2 – Send Post for:

target => http://target/wp-admin/admin-ajax.php

Post => urlsirvsqlinjection

Obs: Obs: in test of image I used plugin for chrome for send request how get and post, in case i register cookie because I simulated that i was logged WordPress.

Timeline:

  • 10/11/2016 – Discovered
  • 10/11/2016 – Vendor notified

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top