Wordpress webplayer Plugins SQL Injection Vulnerability

2017.04.10
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

########################################################### # Exploit Title : Wordpress webplayer Plugins SQL Injection Vulnerability # Exploit Author : Ashiyane Digital Security Team # Vendor Homepage: hdwebplayer.com # Version : 2.8.6 # Date : 2017 10 April # Category : Web App #Test on : Sqlmap , linux # Dork :inurl:/wp-content/plugins/webplayer/config.php?id= # Software Link : https://downloads.wordpress.org/plugin/hdw-player-video-player-video-gallery.3.4.zip ########################################################### ### Location localhost:/Directory/wp-content/plugins/webplayer/config.php?id= localhost:/Directory/wp-content/plugins/webplayer/playlist.php?videoid= ########################################################### ### Vulnerability Files : Config.php <?php /****************************************************************** /*Bootstrap file for getting the ABSPATH constant to wp-load.php /*This is requried when a plugin requires access not via the admin screen. ******************************************************************/ require_once (dirname ( __FILE__ ) . '/isMobile.php'); add_filter('query_vars','plugin_add_trigger'); function plugin_add_trigger($vars) { $vars[] = 'wid'; $vars[] = 'view'; $vars[] = 'vid'; $vars[] = 'pid'; $vars[] = 'lic'; return $vars; } add_action('template_redirect', 'plugin_trigger_check'); function plugin_trigger_check() { if(get_query_var('wid') && get_query_var('view') == "config"){ configXml(get_query_var('wid')); }else if(get_query_var('vid') && checkL(get_query_var('lic'))){ videoPlaylist(get_query_var('vid')); }else if(get_query_var('pid') && checkL(get_query_var('lic'))){ playlist(get_query_var('pid')); } } function configXML($id){ global $wpdb; $id = encrypt_decrypt('decrypt', $id); $table_name = $wpdb->prefix."hdwplayer"; $config = $wpdb->get_row( $wpdb->prepare("SELECT * FROM ".$table_name." WHERE id = %d",trim($id))); $siteurl = get_option('siteurl'); $br = "\n"; if(!$config->id){ die('<b><h1>Restricted access</h1></b>'); } srand ((double) microtime( )*1000000); $dyn = rand( ); $value['token'] = $dyn; $video_id = ''; if($_GET['vid']){ $video_id = '&amp;id='.intval($_GET['vid']); } $wpdb->update($table_name, $value, array('id' => $config->id)); header("content-type:text/xml;charset=utf-8"); echo '<?xml version="1.0" encoding="utf-8"?>'.$br; echo '<config>'.$br; echo '<skinMode>'.$config->skinmode.'</skinMode>'.$br; echo '<autoStart>'.castAsBoolean($config->autoplay).'</autoStart>'.$br; echo '<stretch>'.$config->stretchtype.'</stretch>'.$br; echo '<buffer>'.$config->buffertime.'</buffer>'.$br; echo '<volumeLevel>'.$config->volumelevel.'</volumeLevel>'.$br; if($config->videoid){ echo '<playListXml>'.$siteurl.'/?vid='.$config->videoid.'</playListXml>'.$br; } else { echo '<playListXml>'.$siteurl.'/?pid='.$config->playlistid.$video_id.'</playListXml>'.$br; } echo skinXml($config); echo '<playListAutoStart>'.castAsBoolean($config->playlistautoplay).'</playListAutoStart>'.$br; echo '<playListOpen>'.castAsBoolean($config->playlistopen).'</playListOpen>'.$br; echo '<playListRandom>'.castAsBoolean($config->playlistrandom).'</playListRandom>'.$br; echo '<token>'.$dyn.'</token>'.$br; echo '</config>'.$br; exit(); } function videoPlaylist($id){ global $wpdb; $siteurl = get_option('siteurl'); $br = "\n"; $config = $wpdb->get_results($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."hdwplayer_videos WHERE id = %d",intval($id))); $item = $config[0]; header("content-type:text/xml;charset=utf-8"); echo '<?xml version="1.0" encoding="utf-8"?>'.$br; echo '<playlist>'.$br; echo '<media>'.$br; echo '<id>'.$item->id.'</id>'.$br; echo '<type>'.$item->type.'</type>'.$br; echo '<video>'.$item->video.'</video>'.$br; if($item->hdvideo) { echo '<hd>'.$item->hdvideo.'</hd>'.$br; } echo '<streamer>'.$item->streamer.'</streamer>'.$br; if($item->dvr) { echo '<dvr>'.$item->dvr.'</dvr>'.$br; } echo '<thumb>'.$item->thumb.'</thumb>'.$br; if($item->token) { echo '<token>'.$item->token.'</token>'.$br; } echo '<preview>'.$item->preview.'</preview>'.$br; echo '<title>'.$item->title.'</title>'.$br; echo '</media>'.$br.$br; echo '</playlist>'.$br; exit(); } function playlist($id){ global $wpdb; $val = 0; $siteurl = get_option('siteurl'); $br = "\n"; $vid = ($_GET['id'] != '') ? $_GET['id'] : ''; $query = "SELECT * FROM ".$wpdb->prefix."hdwplayer_videos WHERE"; if($vid == ''){ $query .= " playlistid = %d"; $val = intval($id); }else{ $query .= " id = %d"; $val = intval($vid); } $query .= ' ORDER BY ordering'; $config = json_decode(json_encode($wpdb->get_results($wpdb->prepare($query,$val))),true); if($vid != ''){ $query = "SELECT * FROM ".$wpdb->prefix."hdwplayer_videos WHERE"; $query .= " id != %d"; $query .= " AND playlistid = %d"; $query .= " ORDER BY ordering"; $config = array_merge($config,json_decode(json_encode($wpdb->get_results($wpdb->prepare($query,intval($vid),intval($id)))),true)); } if(!$config[0]['id']){ die('<b><h1>Restricted access</h1></b>'); } header("content-type:text/xml;charset=utf-8"); echo '<?xml version="1.0" encoding="utf-8"?>'.$br; echo '<playlist>'.$br; foreach ($config as $item){ $br; echo '<media>'.$br; echo '<id>'.$item['id'].'</id>'.$br; echo '<type>'.$item['type'].'</type>'.$br; echo '<video>'.$item['video'].'</video>'.$br; if($item['hdvideo']) { echo '<hd>'.$item['hdvideo'].'</hd>'.$br; } echo '<streamer>'.$item['streamer'].'</streamer>'.$br; if($item['dvr']) { echo '<dvr>'.$item['dvr'].'</dvr>'.$br; } echo '<thumb>'.$item['thumb'].'</thumb>'.$br; if($item['token']) { echo '<token>'.$item['token'].'</token>'.$br; } echo '<preview>'.$item['preview'].'</preview>'.$br; echo '<title>'.$item['title'].'</title>'.$br; echo '</media>'.$br.$br; } echo '</playlist>'.$br; exit(); } function skinXml($config){ $br = "\n"; $node = '<controlBar>'.castAsBoolean($config->controlbar).'</controlBar>'.$br; $node .= '<playPauseDock>'.castAsBoolean($config->playpause).'</playPauseDock>'.$br; $node .= '<progressBar>'.castAsBoolean($config->progressbar).'</progressBar>'.$br; $node .= '<timerDock>'.castAsBoolean($config->timer).'</timerDock>'.$br; $node .= '<shareDock>'.castAsBoolean($config->share).'</shareDock>'.$br; $node .= '<volumeDock>'.castAsBoolean($config->volume).'</volumeDock>'.$br; $node .= '<fullScreenDock>'.castAsBoolean($config->fullscreen).'</fullScreenDock>'.$br; $node .= '<playDock>'.castAsBoolean($config->playdock).'</playDock>'.$br; $node .= '<playList>'.castAsBoolean($config->playlist).'</playList>'.$br; return $node; } function castAsBoolean($val){ if($val == 1) { return 'true'; } else { return 'false'; } } function encrypt_decrypt($action, $string) { $output = false; if( $action == 'encrypt' ) { $output = (double)$string*525325.24; $output = base64_encode($output); } else if( $action == 'decrypt' ){ $output = base64_decode(substr($string,0,-3)); $output = (double)$output/525325.24; } return $output; } function checkL($lic){ global $wpdb; $token = $wpdb->get_results("SELECT * FROM ".$wpdb->prefix."hdwplayer"); $license = array(); foreach($token as $tok){ $license[] = trim($tok->token); } if(in_array(trim($lic),$license)){ return true; } return false; } function hdwplayer_gallery_ajax(){ if(!isset($_POST['action'])) { return; } $action = $_POST['action']; if('flashvars' == $action) { global $wpdb; $player = $wpdb->get_row ( $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "hdwplayer WHERE id = %d",intval($_POST ['id']))); $siteurl = get_option ( 'siteurl' ); $results = $wpdb->get_row ( $wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "hdwplayer_videos WHERE id = %d",intval($_POST ['vid']))); $detect = new Mobile_Detect(); if ($detect->isMobile()) { switch ($results->type) { case 'youtube' : $url_string = parse_url ( $results->video, PHP_URL_QUERY ); parse_str ( $url_string, $args ); $html5 = '<iframe title="YouTube video player" width="100%" height="100%" src="http://www.youtube.com/embed/' . $args ['v'] . '" frameborder="0" allowfullscreen></iframe>'; break; case 'dailymotion' : $html5 = '<iframe frameborder="0" width="100%" height="100%" src="' . $results->video . '"></iframe>'; break; case 'rtmp' : $url_string = str_replace ( 'rtmp', 'http', $results->streamer ) . '/' . $results->video . '/playlist.m3u8'; $html5 = '<video poster="' . $results->preview . '" onclick="this.play();" width="100%" height="100%" controls>'; $html5 .= '<source src="' . $url_string . '" />'; $html5 .= '</video>'; break; default : $html5 = '<video poster="' . $results->preview . '" onclick="this.play();" width="100%" height="100%" controls>'; $html5 .= '<source src="' . $results->video . '" />'; $html5 .= '</video>'; } }else{ $flashvars = 'baseW=' . $siteurl . '&id=' . encrypt_decrypt ( 'encrypt', $player->id ).'&vid='.intval($_POST ['vid']); $src = $siteurl . '/wp-content/plugins/' . basename ( dirname ( __FILE__ ) ) . '/player.swf'; $html5 .= '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="' . $player->width . '" height="' . $player->height . '">'; $html5 .= '<param name="movie" value="' . $src . '" />'; $html5 .= '<param name="allowfullscreen" value="true" />'; $html5 .= '<param name="allowscriptaccess" value="always" />'; $html5 .= '<param name="flashvars" value="' . $flashvars . '" />'; $html5 .= '<object type="application/x-shockwave-flash" data="' . $src . '" width="' . $player->width . '" height="' . $player->height . '">'; $html5 .= '<param name="movie" value="' . $src . '" />'; $html5 .= '<param name="allowfullscreen" value="true" />'; $html5 .= '<param name="allowscriptaccess" value="always" />'; $html5 .= '<param name="flashvars" value="' . $flashvars . '" />'; $html5 .= '</object>'; $html5 .= '</object>'; } $response = array( 'html5' =>$html5 ); die(json_encode($response)); } if('email' == $action && checkL($_POST["lic"])) { $to = $_POST["to"]; $from = $_POST["from"]; $url = $_POST["url"]; $subject = "You have received a video!"; $headers = "From: "."<" . $_POST["from"] .">\r\n"; $headers .= "Reply-To: " . $_POST["from"] . "\r\n"; $headers .= "Return-path: " . $_POST["from"]; $message = $_POST["message"] . "\n\n"; $message .= "Video URL: " . $url; if(mail($to, $subject, $message, $headers)) { echo "sent"; exit; } else { echo "error"; exit; } } } ?> ################################################ # Discovered By : Hassan Shakeri # Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir ###########################################################

References:

https://downloads.wordpress.org/plugin/hdw-player-video-player-video-gallery.3.4.zip
http://ashiyane.org/forums
https://twitter.com/ShakeriHassan


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top