########################################################### # Exploit Title : Wordpress salient Themes SQL Injection Vulnerability # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: themenectar.com # Date : 2017 10 April # Category : Web App # Dork : inurl:"/wp-content/themes/salient/includes/portfolio-functions" # Software Link : http://bangalowshoemaking.com/fobi/wp-content/themes/salient/salient.zip ########################################################### ################### Vulnerability Details ####################### ########################################################### salient Themes SQL Injection Vulnerability Researched by Ashiyane Digital Security Team Location : localhost/Directory//wp-content/themes/salient/includes/portfolio-functions/video.php?post-id= Test parameter : post-id Injection type is Integer ########################################################### <?php // Access WordPress $absolute_path = __FILE__; $path_to_file = explode( 'wp-content', $absolute_path ); $path_to_wp = $path_to_file[0]; require_once( $path_to_wp . '/wp-load.php' ); $postid = stripslashes(htmlspecialchars_decode(filter_input(INPUT_GET, 'post-id', FILTER_SANITIZE_STRING))); $video_height = get_post_meta($postid, '_nectar_video_height', true); $video = get_post_meta($postid, '_nectar_video_embed', true); $video_m4v = get_post_meta($postid, '_nectar_video_m4v', true); $video_ogv = get_post_meta($postid, '_nectar_video_ogv', true); $video_poster = get_post_meta($postid, '_nectar_video_poster', true); if(empty($video_height)) $video_height = 480; wp_head(); wp_dequeue_script( 'my_acsearch' ); wp_dequeue_script( 'respond' ); ?> <script> jQuery(document).ready(function($){ if( $(window).width() <= 690 ){ function pp_video_height() { $('#pp-video-wrap').css('height',$('.mejs-container').width()/1.777); } $(window).resize(pp_video_height); pp_video_height(); } function videoshortcodeSize(){ $('.wp-video').each(function(){ var newWidth = $(this).width(); var $el = $(this).find('.wp-video-shortcode'); $(this).height($('.mejs-container').width()/1.777); }); } videoshortcodeSize(); $(window).resize(videoshortcodeSize); }); </script> <style> #header-outer { display: none!important;} html { overflow: hidden!important; } </style> </head> <div id="header-outer" data-header-resize="1"></div> <?php if ( floatval(get_bloginfo('version')) < "3.6" ) { ?> <style> body {background-color: #000; height: <?php echo $video_height + 33; ?>px!Important;} #wpadminbar { display: none;} html { margin-top: 0px!important; } .jp-video-container { margin-bottom: 0px!important;} .jp-jplayer { height: <?php echo $video_height; ?>px!important; } @media only screen and (min-width : 1px) and (max-width : 1050px) { body {background-color: transparent!important;} .jp-jplayer { height: auto!important; } } </style> <?php } else { ?> <style> body {background-color: #000; overflow-y:hidden; height: <?php echo $video_height; ?>px!Important;} #wpadminbar { display: none;} html { margin-top: 0px!important; } .mejs-mediaelement #me_flash_0_container { height: 100%; } .mejs-fullscreen-button { display: none!important; } .wp-video { width: 100%!important; } @media only screen and (min-width : 1px) and (max-width : 1050px) { body {background-color: transparent!important;} } </style> <?php } ?> <body class="pp-video-function"> <?php if ( floatval(get_bloginfo('version')) < "3.6" ) { nectar_video($postid); } else { //self hosted if(!empty($video_m4v) || !empty($video_ogv)) { $video_output = '[video '; if(!empty($video_m4v)) { $video_output .= 'mp4="'. $video_m4v .'" '; } if(!empty($video_ogv)) { $video_output .= 'ogv="'. $video_ogv .'"'; } $video_output .= ' poster="'.$video_poster.'"]'; echo '<div class="video">' . do_shortcode($video_output) . '</div>'; } //embed else { echo '<div id="pp-video-wrap">'.do_shortcode($video).'</div>'; } } wp_footer(); ?> ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################