WordPress Video Gallery 2.7 SQL Injection

2015-02-12T00:00:00
ID PACKETSTORM:130371
Type packetstorm
Reporter Claudio Viviani
Modified 2015-02-12T00:00:00

Description

                                        
                                            `######################  
  
# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability  
  
# Exploit Author : Claudio Viviani  
  
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery  
  
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip  
  
# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss  
  
  
# Date : 2015-02-11  
  
# Tested on : Windows 7 / Mozilla Firefox  
Linux / Mozilla Firefox   
  
######################  
  
# Vulnerability Disclosure Timeline:  
  
2015-02-08: Discovered vulnerability  
2015-02-09: Vendor Notification  
2015-02-10: Vendor Response/Feedback   
2015-02-10: Vendor Send Fix/Patch   
2015-02-11: Public Disclosure   
  
# Description  
  
Wordpress Video Gallery 2.7 suffers from SQL injection  
  
  
######################  
  
# PoC  
  
http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]  
  
  
#####################  
  
# Fix/patch sent by apptha's developer  
  
File: videogalleryrss.php  
  
Change line n.47   
  
from:  
  
$vid = filter_input(INPUT_GET,'vid');  
to:  
  
$vid = intval(filter_input(INPUT_GET,'vid'));  
  
#####################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
info@homelab.it  
homelabit@protonmail.ch  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
  
#####################`