# Exploit Title: Wordpress Plugin Facebook With Login - SQL injection & XSS
# Exploit Author: CrashBandicot
# Date: 2016-03-22
# Google Dork : inurl:/wp-content/plugins/facebook-with-login/
# Vendor Homepage: https://github.com/wp-plugins/facebook-with-login
# Tested on: MSWin32


# 11 SQL Injection & 1 Xss


# Vuln Files: 
# /wp-content/plugins/facebookwithlogin/updateprofile.php


11.    $id = $_POST['id'];
19.    $fname = $_POST['fname']; 
20.    $lname = $_POST['lname'];
21.    $email = $_POST['email'];
22.    $url = $_POST['url']; 
23.    $binfo = $_POST['binfo'];
24.        $q = "UPDATE $wpdb->users SET `user_url` = '" . $url . "',`user_email`='" . $email . "' WHERE `ID` = '" . $id . "'"; 
25.     mysql_query($q); 
26.        $q = "UPDATE $wpdb->usermeta SET `meta_value` = '" . $fname . "' WHERE `user_id` = '" . $id . "' AND `meta_key`='first_name'"; 
27.     mysql_query($q);
28.        $q = "UPDATE $wpdb->usermeta SET `meta_value` = '" . $lname . "' WHERE `user_id` = '" . $id . "' AND `meta_key`='last_name'";
29.     mysql_query($q);
30.        $q = "UPDATE $wpdb->usermeta SET `meta_value` = '" . $binfo . "' WHERE `user_id` = '" . $id . "' AND `meta_key`='description'"; 
31.     mysql_query($q); 



# /wp-content/plugins/facebookwithlogin/urlupdate.php


12.    $id = $_POST['lid'];
13.    $lurl = $_POST['loginurl'];
14.    $lourl = $_POST['logouturl'];
16.       $q = "UPDATE `fb_custom` SET `api`='".$lurl."',`secret` = '".$lourl."' WHERE `id` ='".$id."' LIMIT 1 ;";
17.    mysql_query($q);



# /wp-content/plugins/facebookwithlogin/updatefacebookkey.php



3.    $q = "UPDATE `fb_custom` SET `appid` = '".$_POST['appid']."',`api` = '".$_POST['api']."',`secret` = '".$_POST['secretkey']."' WHERE `id` = '".$_POST['fid']."' LIMIT 1 ;";
4.      $f = mysql_query($q);



# /wp-content/plugins/facebookwithlogin/stylesheets/updatefacebookkey.php


3.   echo $q = "UPDATE `".$wpdb->prefix."fb_custom` SET `appid` = '".$_POST['appid']."',`api` = '".$_POST['api']."',`secret` = '".$_POST['secretkey']."' WHERE `id` = '".$_POST['fid']."' LIMIT 1 ;";
4.     $f = mysql_query($q);
5.   echo mysql_num_rows($f);



# /wp-content/plugins/facebookwithlogin/exist_mem.php



19.     $log = $_POST['log'];
20.      $delete_id = $_POST['id']; 
25.        $query_uname = "select * from $wpdb->users where user_login='" . $log . "'";
26.    $result_uname = mysql_query($query_uname);
45.            $delete = "Delete from $wpdb->users where ID = '" . $delete_id . "'";  
46.        mysql_query($delete); 

 


# /wp-content/plugins/facebookwithlogin/custom_check.php



12.   $id = $_POST['fid'];
13.    $v = $_POST['facebook_setting']; 
15.      $q = "UPDATE `fb_custom` SET `secret` = '" . $v . "' WHERE `id` ='" . $id . "' LIMIT 1 ;";  
16.  mysql_query mysql_query($q); 



# /wp-content/plugins/facebookwithlogin/changepassword.php


16.   $id = $_POST['id']; 
22.      $q = "UPDATE $wpdb->users SET `user_pass` = '" . $pass . "' WHERE `ID` = '" . $id . "'"; 
23.             mysql_query($q); 




# Shootz to Magnom & Samim