• Twitter
  • Facebook
  • Google Plus
  • Rss-Feed
  • NewsLetter-Email

ClsHack Blog


[Video]Exploit, SQL INJECTION WordPress

July 9th, 2011 by clshack


Di recente era uscito un bel exploit per wordpress, famoso cms per i blog :
http://www.exploit-db.com/exploits/17465/

Nel video viene utilizzato bsqlbf-v2 (Blind Sql Injection Brute Forcer version 2).
La cosa bella di questo tool è che supporta diversi database:

  • MS-SQL
  • MySQL
  • PostgreSQL
  • Oracle


Il suo utilizzo è molto semplice e simile ad altri tools per scovare e sfruttare sql injection.
(http://www.clshack.com/tools-for-exploiting-sql-injections.html)
E’ possibile scaricare l’ultima versione di bsqlbf-v2 digitando:

svn checkout http://bsqlbf-v2.googlecode.com/svn/trunk/ bsqlbf-v2
cd bsqlbf-v2
./bsqlbf*.pl
Ulteriori info le trovate qui:
http://code.google.com/p/bsqlbf-v2/

Le vulnerabilità riscontrate in wordpress 3.1.3 sono le seguenti:

1) The get_terms() filter declared in the wp-includes/taxonomy.php file
does not properly validate user input, allowing an attacker with
“Editor” privileges to inject arbitrary SQL commands in the “orderby”
and “order” parameters passed as array members to the vulnerable filter
when sorting for example link categories.

The following URLs could be used to perform blind SQL injection
attacks:

http://localhost/wp-admin/edit-tags.php?taxonomy=link_category&orderby=[SQL

injection]&order=[SQL injection]

http://localhost/wp-admin/edit-tags.php?taxonomy=post_tag&orderby=[SQL

injection]&order=[SQL injection]

http://localhost/wp-admin/edit-tags.php?taxonomy=category&orderby=[SQL

injection]&order=[SQL injection]

2) The get_bookmarks() function declared in the
wp-includes/bookmark.php file does not properly validate user input,
allowing an attacker with “Editor” privileges to inject arbitrary SQL
commands in the “orderby” and “order” parameters passed as array
members to the vulnerable function when sorting links.

The following URL could be used to perform blind SQL injection attacks:

http://localhost/wp-admin/link-manager.php?orderby=[SQL

injection]&order=[SQL injection]

Come avrete letto bisogna avere privilegi editor per poter sfruttare questa sql injection .-.

Beh ecco il video:

Articoli correlati:

  1. SqlMap: Ottimo scanner per sql injection :)
  2. CMS Explorer: Analizza i CMS e cerca BUG
  3. Tools for Exploiting SQL INJECTIONS
  4. [JAVA]jSQL : Scanner Sql Injection

Categorie: GNU/Linux, Hacking, Software
Tags:

Articoli Recenti:

Commenti Recenti:

Tags

android arp attack backbox backtrack chrome dos download exploit firefox Games google gratis hack Hacking java javascript lan linux metasploit mysql nmap password pdf php privacy proxy python remote rete scan scanner scapy server sql tool ubuntu usb veloce virus web wifi Windows wordpress xss

Social Link: