dEEpEst Posted March 26, 2016 Share Posted March 26, 2016 [HIDE-THANKS]WordPress Facebook With Login 1.0 Cross Site Scripting / SQL Injection Published Credit Risk 2016.03.24 CrashBandicot Medium CWE CVE Local Remote CWE-89 CWE-79 N/A No Yes Dork: inurl:/wp-content/plugins/facebook-with-login/ # Exploit Title: Wordpress Plugin Facebook With Login - SQL injection & XSS # Exploit Author: CrashBandicot # Date: 2016-03-22 # Google Dork : inurl:/wp-content/plugins/facebook-with-login/ # Vendor Homepage: This is the hidden content, please Sign In or Sign Up # Tested on: MSWin32 # 11 SQL Injection & 1 Xss # Vuln Files: # /wp-content/plugins/facebookwithlogin/updateprofile.php 11. $id = $_POST['id']; 19. $fname = $_POST['fname']; 20. $lname = $_POST['lname']; 21. $email = $_POST['email']; 22. $url = $_POST['url']; 23. $binfo = $_POST['binfo']; 24. $q = "UPDATE $wpdb->users SET `user_url` = '" . $url . "',`user_email`='" . $email . "' WHERE `ID` = '" . $id . "'"; 25. mysql_query($q); 26. $q = "UPDATE $wpdb->usermeta SET `meta_value` = '" . $fname . "' WHERE `user_id` = '" . $id . "' AND `meta_key`='first_name'"; 27. mysql_query($q); 28. $q = "UPDATE $wpdb->usermeta SET `meta_value` = '" . $lname . "' WHERE `user_id` = '" . $id . "' AND `meta_key`='last_name'"; 29. mysql_query($q); 30. $q = "UPDATE $wpdb->usermeta SET `meta_value` = '" . $binfo . "' WHERE `user_id` = '" . $id . "' AND `meta_key`='description'"; 31. mysql_query($q); # /wp-content/plugins/facebookwithlogin/urlupdate.php 12. $id = $_POST['lid']; 13. $lurl = $_POST['loginurl']; 14. $lourl = $_POST['logouturl']; 16. $q = "UPDATE `fb_custom` SET `api`='".$lurl."',`secret` = '".$lourl."' WHERE `id` ='".$id."' LIMIT 1 ;"; 17. mysql_query($q); # /wp-content/plugins/facebookwithlogin/updatefacebookkey.php 3. $q = "UPDATE `fb_custom` SET `appid` = '".$_POST['appid']."',`api` = '".$_POST['api']."',`secret` = '".$_POST['secretkey']."' WHERE `id` = '".$_POST['fid']."' LIMIT 1 ;"; 4. $f = mysql_query($q); # /wp-content/plugins/facebookwithlogin/stylesheets/updatefacebookkey.php 3. echo $q = "UPDATE `".$wpdb->prefix."fb_custom` SET `appid` = '".$_POST['appid']."',`api` = '".$_POST['api']."',`secret` = '".$_POST['secretkey']."' WHERE `id` = '".$_POST['fid']."' LIMIT 1 ;"; 4. $f = mysql_query($q); 5. echo mysql_num_rows($f); # /wp-content/plugins/facebookwithlogin/exist_mem.php 19. $log = $_POST['log']; 20. $delete_id = $_POST['id']; 25. $query_uname = "select * from $wpdb->users where user_login='" . $log . "'"; 26. $result_uname = mysql_query($query_uname); 45. $delete = "Delete from $wpdb->users where ID = '" . $delete_id . "'"; 46. mysql_query($delete); # /wp-content/plugins/facebookwithlogin/custom_check.php 12. $id = $_POST['fid']; 13. $v = $_POST['facebook_setting']; 15. $q = "UPDATE `fb_custom` SET `secret` = '" . $v . "' WHERE `id` ='" . $id . "' LIMIT 1 ;"; 16. mysql_query mysql_query($q); # /wp-content/plugins/facebookwithlogin/changepassword.php 16. $id = $_POST['id']; 22. $q = "UPDATE $wpdb->users SET `user_pass` = '" . $pass . "' WHERE `ID` = '" . $id . "'"; 23. mysql_query($q);[/HIDE-THANKS] Link to comment Share on other sites More sharing options...
.webp.8407a83ac96563f75e1c428a1f0d4c3e.webp)
.webp.9a04cec050a656fab081ac190f971c3f.webp)
Hack Tools Resurrection
dEEpEst
Recommended Posts