================================================================================
____ _ _ ____ _ _ ____ _ _ ___ ____ ____
|__| | | |__| |__| |__| |_/ |__] |__| |__/
| | |___ |___ | | | | | | | \_ |__] | | | \
================================================================================
####
# Exploit Title: WordPress leaflet maps marker plugin Blind SQL Injection Vulnerability
# Author: KinG Of PiraTeS
# Facebook Profile: www.fb.me/cr4ck3d
# Facebeook Page : www.fb.me/serial.crack
# Facebeook Page : www.fb.me/Cars2Luxe
# E-mail: t5r@hotmail.com / cr4ck3d@offdr5cax.dz
# Web Site : www.1337day.com | www.inj3ct0rs.com
# Category:: webapps
# Google Dork: NA
# platform : php
# Vendor: http://www.mapsmarker.com/
# Version: 1.x.x
# Security Risk : High
# Tested on: [Windows 7 Edition Intégrale 64bit ]
####
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | * ------> KinG Of PiraTeS * The g0bl!n <-------- * |
# | ------------------------------------------------- < |
###
>>>>>>>>>>>>>>>>> Joyeux Anniversaire Bensekran Menaouri <<<<<<<<<<<<<<<<<<<<
#
1)Introduction
2)Vulnerability Description
3)Exploit
>> ----------------------------------------------------------------
1)Introduction
==============
The WordPress plugin “Leaflet Maps Marker” allows you to pin, organize & show your favorite places through OpenStreetMap on your blog and via different APIs on external websites or apps
2)Vulnerability Description
===========================
U can inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database.
Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password.
With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
3)Exploit
=========
[~] P0c [~] :
============
Vuln file in :
http://Localhost/{Path}/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php
[~] Vuln Code [~] :
---
elseif (isset($_GET['marker'])) {
$markerid = mysql_real_escape_string($_GET['marker']);
$uid = substr(md5(''.rand()), 0, 8);
$pname = 'pa'.$uid;
$table_name_markers = $wpdb->prefix.'leafletmapsmarker_markers';
$row = $wpdb->get_row('SELECT id,markername,basemap,layer,lat,lon,icon,popuptext,zoom,openpopup,mapwidth,mapwidthunit,mapheight,panel,controlbox,overlays_custom,overlays_custom2,overlays_custom3,overlays_custom4,wms,wms2,wms3,wms4,wms5,wms6,wms7,wms8,wms9,wms10 FROM '.$table_name_markers.' WHERE id='.$markerid, ARRAY_A);
if(!empty($row)) {
.
.
.
-----
The Variable ID is Not filtred , It mean that u can Inject SQL Orders
[~] D3m0 [~] :
=============
often the ID Number 22 is Always Open
http://innsatmontpelier.com/wordpress/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=[Inj3ct Here]
http://firstcoastentertainment.com/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=[Inj3ct Here]
http://promotingot.org/wp-content/plugins/leaflet-maps-marker/leaflet-fullscreen.php?marker=[Inj3ct Here]
.
.
####
Peace From Algeria
####
=================================**Algerians Hackers**===============================================
# Greets To :
KedAns-Dz & Caddy-Dz & kalashinkov3 **All Algerians Hackers** , Kondamne , errajol ettayeb
(exploit-id.com) , (1337day.com) , (Sec4ever.com) , (h4ckforu.com) , (alboraaq.com)
All My Friendz: Hanixpo , Caddy-Dz , Indoushka , Jago-dz ,saoucha , BriscO-Dz
Over-X , Kha&miX ,Ev!LsCr!pT_Dz , T0xic , Tn_Scorpion , ..others ?___?
=====================================================================================================
