WordPress插件SendIt <= 1.5.9盲注缺陷及修复 - 网站

标题: WordPress SendIt plugin <= 1.5.9 Blind SQL Injection Vulnerability 关键字: inurl:"wp-content/plugins/sendit/submit.php" 作者: evilsocket ( evilsocket [at] gmail [dot] com ) www.2cto.com 下载地址: http://wordpress.org/extend/plugins/sendit/ 已测试版本: 1.5.9 (tested with magic quotes OFF)     --------------- 缺陷代码分析 ---------------   [ submit.php line 27 ]   $user_count = $wpdb->get_var("SELECT COUNT(*) FROM $table_email where email ='$_POST[email_add]' and id_lista = '$_POST[lista]';");     你看, $_POST[lista] parameter is nor validated neither escaped, so you can blind sql inject it using $user_count for the boolean condition checking :     [ submit.php line 29 ]   if($user_count>0) :   $errore_presente = "<div class=\"error\">".__('email address already present', 'sendit')."</div>";   die($errore_presente);   --- 测试 ---   POST:   email_add = some.random.regexp.valid.email@domain.ltd lista = BLIND SQL INJECTION HERE   TO:   http://www.2cto.com /wp-content/plugins/sendit/submit.php 修复：严格过滤

查看更多关于WordPress插件SendIt <= 1.5.9盲注缺陷及修复 - 网站的详细内容...