WordPress Video Gallery 2.7 SQL Injection

 Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]

######################

# Exploit Title : WordPress Video Gallery 2.7 SQL Injection Vulnerabilitiy

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss

# Date : 2015-02-10

# Tested on : Windows 7 / Mozilla Firefox
 Linux / Mozilla Firefox 

######################

# Vulnerability Disclosure Timeline:

2015-02-08: Discovered vulnerability
2015-02-09: Vendor Notification
2015-02-10: Vendor Response/Feedback 
2015-02-10: Vendor Send Fix/Patch 
2015-02-10: Public Disclosure 

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47 

from:

 $vid = filter_input(INPUT_GET,'vid');
to:

 $vid = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani

http://www.homelab.it

                info@homelab.it
                homelabit@protonmail.ch

https://www.facebook.com/homelabit


https://twitter.com/homelabit


https://plus.google.com/+HomelabIt1/


######################

# Exploit Title : WordPress Video Gallery 2.7 SQL Injection Vulnerabilitiy

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss

# Date : 2015-02-10

# Tested on : Windows 7 / Mozilla Firefox
 Linux / Mozilla Firefox 

######################

# Vulnerability Disclosure Timeline:

2015-02-08: Discovered vulnerability
2015-02-09: Vendor Notification
2015-02-10: Vendor Response/Feedback 
2015-02-10: Vendor Send Fix/Patch 
2015-02-10: Public Disclosure 

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47 

from:

 $vid = filter_input(INPUT_GET,'vid');
to:

 $vid = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani

http://www.homelab.it

                info@homelab.it
                homelabit@protonmail.ch

https://www.facebook.com/homelabit


https://twitter.com/homelabit


https://plus.google.com/+HomelabIt1/


https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################
#####################