Exploit YourMembers Plugin - Blind SQL Injection

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
34968
Проверка EDB
  1. Пройдено
Автор
TRANDINHTIEN
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2014-100003
Дата публикации
2014-10-14
YourMembers Plugin - Blind SQL Injection
Код:
Vulnerability title: Blind SQL Injection Vulnerability in YourMembers plugin
CVE: N/A
Vendor: YourMembers plugin
Product: https://github.com/YourMembers/yourmembers/tree/master/ym_trunk
Affected version: Version 3, 29 June 2007 (https://github.com/YourMembers/yourmembers/blob/master/LICENSE)
Google dork: inurl:ym_download_id=
Fixed version: N/A
Reported by: Tien Tran Dinh - [email protected]


Details:

The Blind SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from blind SQL injection:

GET /?ym_download_id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wfvt_2871549622=5434f2560126f; wpfront-notification-bar-landingpage=1; bp-activity-oldestpage=1; __utma=9793911.1350365293.1412756050.1412756050.1412756050.1; __utmb=9793911.1.10.1412756050; __utmc=9793911; __utmz=9793911.1412756050.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); all_RyDwsSBXVzZXJzGOTe_u0CDA-clickdesk_referrer=http%3A//www.google.com.vn/url%3Fsa%3Dt%26rct%3Dj%26q%3D%26esrc%3Ds%26source%3Dweb%26cd%3D1%26ved%3D0CB0QFjAA%26url%3Dhttp%253A%252F%252Fsdj
Connection: keep-alive

Vulnerable file: ym_trunk/includes/ym-download_functions.include.php 
Vulnerable code: (Line: 313 -> 329)
		function ym_get_download($id=false) {
			global $wpdb, $ym_dl_db;

			$row = new stdClass();
			$row->id = $row->title = $row->filename = $row->postDate = $row->members = $row->user = false;

			if ($id) {
				$sql = 'SELECT id, title, filename, postDate, members, user
						FROM ' . $ym_dl_db . '
						WHERE id = ' . $id;
				$row = $wpdb->get_row($sql);
			}

			return $row;
		} 
		
Credits: Thanks to 	Pham Kien Cuong ([email protected]), Dang Quoc Thai ([email protected]), Le Ngoc Phi ([email protected])
 
Источник
www.exploit-db.com

Похожие темы