[align=LEFT]
[align=CENTER]WordPress WP Symposium plugin <= 11.12.08 SQL Injection[/align]
[php]
# Exploit Title: WordPress WP Symposium plugin <= 11.12.08 SQL Injection Vulnerability
# Google Dork: Mbah_Semar Ganteng
# Date: Dec 15, 2011
# Author: Mbah_Semar | fuji[at]hacker[dot]or[dot]id |
# Software Link: http://downloads.wordpress.org/plugi...m.11.12.08.zip
# Vendor : http://www.wpsymposium.com/
# Version: 11.12.08
# Tested on: My Blog
# Greetz: Inj3ct0r Team 1337day.com
---
PoC
---
http://site/[path]/pagename/profile?uid=1[SQLi]
---------------
Vulnerable code
---------------
wp-content/plugins/wp-symposium/symposium_profile.php
if (isset($_GET['uid'])) {
$uid = $_GET['uid'];
} else {
$uid = $current_user->ID;
}
query to the variable $uid is not filtered
[/php][/align]
[align=CENTER]WordPress WP Symposium plugin <= 11.12.08 SQL Injection[/align]
[php]
# Exploit Title: WordPress WP Symposium plugin <= 11.12.08 SQL Injection Vulnerability
# Google Dork: Mbah_Semar Ganteng
# Date: Dec 15, 2011
# Author: Mbah_Semar | fuji[at]hacker[dot]or[dot]id |
# Software Link: http://downloads.wordpress.org/plugi...m.11.12.08.zip
# Vendor : http://www.wpsymposium.com/
# Version: 11.12.08
# Tested on: My Blog
# Greetz: Inj3ct0r Team 1337day.com
---
PoC
---
http://site/[path]/pagename/profile?uid=1[SQLi]
---------------
Vulnerable code
---------------
wp-content/plugins/wp-symposium/symposium_profile.php
if (isset($_GET['uid'])) {
$uid = $_GET['uid'];
} else {
$uid = $current_user->ID;
}
query to the variable $uid is not filtered
[/php][/align]