$title

############################################################################################################ # Exploit Title : Wordpress Plugin Tierra Billboard Manager SQL Injection Vulnerability # Exploit Author : Linux Zone Research Team # Date : 14-December-2015 # Vendor Homepage: https://wordpress.org # Software Link : https://wordpress.org/plugins/tierra-billboard-manager/ # Version : 1.14 # Tested on : Linux - Chrome # CVE : NONE # MY HOME : http://linux-zone.org ############################################################################################################ # # Location : /wp-content/plugins/tierra-billboard-manager/tierra-billboard-playlist.php?id=[SQL] # ############################################################################################################ prefix . "ti_billboard_manager"; $playlist_id = intval($_GET['id']); $media_id = isset($_GET['media_id']) ? intval($_GET['media_id']) : -1; $baseurl = $_SERVER["QUERY_STRING"]; $pluginURL = WP_PLUGIN_URL; if ($media_id <= 0) { $sql = 'select title, image, tracks, creation_date, license from ' . $_billboard_manager . ' where id = ' . $wpdb->escape($playlist_id); } else { $sql = 'select id, post_title as title, "' . $media_id . '" as tracks, post_date as creation_date from ' . $wpdb->posts . ' where id = ' . $media_id; } $row = $wpdb->get_row($sql); $license = $row->license ? htmlentities($row->license) : ''; $title = htmlentities(stripslashes($row->title)); $tracks = split (',' , $row->tracks); $i = 0; echo<<<__END_OF_HEADER__ $title Tierra Billboard Manager Playlist generated via Tierra Billboard Manager, part of the Tierra WordPress CMS Toolkit http://tierra-innovation.com/wordpress-cms/ $pluginURL/tierra-billboard-manager/skin/brand.png $license $row->creation_date __END_OF_HEADER__ ; $wpuploads = wp_upload_dir(); if ($row->tracks) { foreach ($tracks as $track) { $sql = 'select id, post_title as track, guid, post_date, post_excerpt, post_modified from ' . $wpdb->posts . ' where id = ' . $track; $row = $wpdb->get_row($sql); if ($row) { $metadata = get_post_meta($row->id, '_wp_attachment_metadata', true); if ( ( $row->id = intval($row->id) ) && $thumb_url = get_attachment_icon_src( $row->id ) ) $thumb_url = htmlspecialchars($thumb_url[0]); else { $wpuploads = wp_upload_dir(); if ($metadata['file']) { $path_parts = pathinfo($metadata['file']); $datepath = $wpuploads['baseurl'] . "/" .$path_parts['dirname']; } $thumb_url = htmlspecialchars($metadata['sizes']['thumbnail']['file'] ? ($datepath . '/' . stripslashes($metadata['sizes']['thumbnail']['file']) ) : "/wp-includes/images/crystal/interactive.png"); } print " " . ( $row->guid ? htmlspecialchars($row->guid) : ( $wpuploads['baseurl'] . '/' . $metadata['file'] ))." " .( $metadata['_ti_bbm_artist'] ? htmlspecialchars($metadata['_ti_bbm_artist']) : "" )." " . ( $metadata['_ti_bbm_album'] ? htmlspecialchars($metadata['_ti_bbm_album']) : "" ). " $thumb_url " . ( $row->track ? htmlspecialchars($row->track) : "No title" ) . " Type:" .$wpdb->escape($row->post_mime_type) ."; " . $wpdb->escape($metadata['_ti_bbm_linkTo']) ." " . $wpdb->escape($metadata['_ti_bbm_tracknum']) ." " . $wpdb->escape($metadata['_ti_bbm_duration']) ." " . htmlspecialchars(stripslashes($row->post_excerpt)) . " "; } } } print<<<__END_OF_XML__ __END_OF_XML__ ; ?> ############################################# # # Hassan Shakeri - Mohammad Habili # # Twitter : @ShakeriHassan - Fb.com/General.BlackHat ##########################################################