Wordpress Video Gallery 2.7.0 SQL Injection Vulnerability

######################
 
# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability
 
# Exploit Author : Claudio Viviani
 
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
 
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip
 
# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
             
 
# Date : 2015-02-11
 
# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox        
 
######################
 
# Vulnerability Disclosure Timeline:
 
2015-02-08:  Discovered vulnerability
2015-02-09:  Vendor Notification
2015-02-10:  Vendor Response/Feedback
2015-02-10:  Vendor Send Fix/Patch
2015-02-11:  Public Disclosure
 
# Description
 
Wordpress Video Gallery 2.7 suffers from SQL injection
 
 
######################
 
# PoC
 
http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]
 
 
#####################
 
# Fix/patch sent by apptha's developer
 
File: videogalleryrss.php
 
Change line n.47
 
from:
 
        $vid             = filter_input(INPUT_GET,'vid');
to:
 
        $vid             = intval(filter_input(INPUT_GET,'vid'));
 
#####################
 
Discovered By : Claudio Viviani
            http://www.homelab.it
            [email protected]
            [email protected]
 
            https://www.facebook.com/homelabit
            https://twitter.com/homelabit
            https://plus.google.com/+HomelabIt1/
        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

#  0day.today [2018-03-05]  #