WordPress Video Gallery 2.8 SQL Injection

WordPress Video Gallery 2.8 SQL Injection: Posted Apr 14, 2015; Authored by Claudio Viviani; WordPress Video Gallery plugin version 2.8 suffers from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 2a03380193003bbe9235920994e16af47220139c1f116419515e226aad7aa622; Download | Favorite | View

WordPress Video Gallery 2.8 SQL Injection

######################

# Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey

# Exploit Author : Claudio Viviani

# Vendor Homepage : https://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense
            

# Date : 2015-04-04

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         

######################

# Description

 Wordpress Video Gallery 2.8 suffers from SQL injection
 
 
 Location file: /contus-video-gallery/hdflvvideoshare.php
 
 add_action('wp_ajax_googleadsense' ,'google_adsense');
 add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
 function google_adsense(){
     global $wpdb;
     $vid = $_GET['vid'];  
     $google_adsense_id =  $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
     $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
     $google_adsense = unserialize($query);
     echo $google_adsense['googleadsense_code']; 
     die();

 $vid = $_GET['vid']; is not sanitized

######################

# PoC

 https://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[SQLi]


######################

# Vulnerability Disclosure Timeline:

2015-04-04:  Discovered vulnerability
2015-04-06:  Vendor Notification
2015-04-06:  Vendor Response/Feedback 
2015-04-07:  Vendor Send Fix/Patch (same version number)
2015-04-13:  Public Disclosure 

#######################

Discovered By : Claudio Viviani
                https://www.homelab.it
        https://ffhd.homelab.it (Free Fuzzy Hashes Database)
        
                info@homelab.it
                homelabit@protonmail.ch

                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 60 files
LiquidWorm 20 files
Debian 19 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,159)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,840)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,249)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,974)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

WordPress Video Gallery 2.8 SQL Injection

WordPress Video Gallery 2.8 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

WordPress Video Gallery 2.8 SQL Injection

Share This

WordPress Video Gallery 2.8 SQL Injection

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems