Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbTranDinhTienEDB-ID:34968
HistoryOct 14, 2014 - 12:00 a.m.

YourMembers Plugin - Blind SQL Injection

2014-10-1400:00:00
TranDinhTien
www.exploit-db.com
18

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

42.0%

JSON
Vulnerability title: Blind SQL Injection Vulnerability in YourMembers plugin
CVE: N/A
Vendor: YourMembers plugin
Product: https://github.com/YourMembers/yourmembers/tree/master/ym_trunk
Affected version: Version 3, 29 June 2007 (https://github.com/YourMembers/yourmembers/blob/master/LICENSE)
Google dork: inurl:ym_download_id=
Fixed version: N/A
Reported by: Tien Tran Dinh - [email protected]


Details:

The Blind SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from blind SQL injection:

GET /?ym_download_id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wfvt_2871549622=5434f2560126f; wpfront-notification-bar-landingpage=1; bp-activity-oldestpage=1; __utma=9793911.1350365293.1412756050.1412756050.1412756050.1; __utmb=9793911.1.10.1412756050; __utmc=9793911; __utmz=9793911.1412756050.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); all_RyDwsSBXVzZXJzGOTe_u0CDA-clickdesk_referrer=http%3A//www.google.com.vn/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26ved%3D0CB0QFjAA%26url%3Dhttp%253A%252F%252Fsdj
Connection: keep-alive

Vulnerable file: ym_trunk/includes/ym-download_functions.include.php 
Vulnerable code: (Line: 313 -> 329)
		function ym_get_download($id=false) {
			global $wpdb, $ym_dl_db;

			$row = new stdClass();
			$row->id = $row->title = $row->filename = $row->postDate = $row->members = $row->user = false;

			if ($id) {
				$sql = 'SELECT id, title, filename, postDate, members, user
						FROM ' . $ym_dl_db . '
						WHERE id = ' . $id;
				$row = $wpdb->get_row($sql);
			}

			return $row;
		} 
		
Credits: Thanks to 	Pham Kien Cuong ([email protected]), Dang Quoc Thai ([email protected]), Le Ngoc Phi ([email protected])

Related

cve 1
nvd 1
prion 1
cvelist 1
cve
cve
CVE-2014-100003
2015-01-13 11:59:02
nvd
nvd
CVE-2014-100003
2015-01-13 11:59:02
prion
prion
Sql injection
2015-01-13 11:59:00
cvelist
cvelist
CVE-2014-100003
2015-01-13 11:00:00

AI Score

7.4

Confidence

Low

EPSS

0.001

Percentile

42.0%

JSON
Related for EDB-ID:34968
cve1nvd1prion1cvelist1