############################################################################################################ # Exploit Title : Wordpress Plugin Tierra Billboard Manager SQL Injection Vulnerability # Exploit Author : Linux Zone Research Team # Date : 14-December-2015 # Vendor Homepage: https://wordpress.org # Software Link : https://wordpress.org/plugins/tierra-billboard-manager/ # Version : 1.14 # Tested on : Linux - Chrome # CVE : NONE # MY HOME : http://linux-zone.org ############################################################################################################ # # Location : /wp-content/plugins/tierra-billboard-manager/tierra-billboard-playlist.php?id=[SQL] # ############################################################################################################ <?php header("Content-Type: text/html"); /* if (isset($_GET['preview']) && $_GET['preview'] == 'true' ) { header("Content-Type: application/xml;charset=utf-8"); } else { header("Content-Type: application/xspf+xml;charset=utf-8"); } */ require_once('../../../wp-config.php'); require_once('../../../wp-settings.php'); global $wpdb, $_billboard_manager_db_version, $_billboard_manager, $baseurl, $pluginurl; $_billboard_manager = $wpdb->prefix . "ti_billboard_manager"; $playlist_id = intval($_GET['id']); $media_id = isset($_GET['media_id']) ? intval($_GET['media_id']) : -1; $baseurl = $_SERVER["QUERY_STRING"]; $pluginURL = WP_PLUGIN_URL; if ($media_id <= 0) { $sql = 'select title, image, tracks, creation_date, license from ' . $_billboard_manager . ' where id = ' . $wpdb->escape($playlist_id); } else { $sql = 'select id, post_title as title, "' . $media_id . '" as tracks, post_date as creation_date from ' . $wpdb->posts . ' where id = ' . $media_id; } $row = $wpdb->get_row($sql); $license = $row->license ? htmlentities($row->license) : ''; $title = htmlentities(stripslashes($row->title)); $tracks = split (',' , $row->tracks); $i = 0; echo<<<__END_OF_HEADER__ <?xml version="1.0" encoding="UTF-8"?> <playlist version="1" xmlns = "http://xspf.org/ns/0/"> <title>$title</title> <creator>Tierra Billboard Manager</creator> <annotation>Playlist generated via Tierra Billboard Manager, part of the Tierra WordPress CMS Toolkit</annotation> <info>http://tierra-innovation.com/wordpress-cms/</info> <image>$pluginURL/tierra-billboard-manager/skin/brand.png</image> <license>$license</license> <date>$row->creation_date</date> <trackList> __END_OF_HEADER__ ; $wpuploads = wp_upload_dir(); if ($row->tracks) { foreach ($tracks as $track) { $sql = 'select id, post_title as track, guid, post_date, post_excerpt, post_modified from ' . $wpdb->posts . ' where id = ' . $track; $row = $wpdb->get_row($sql); if ($row) { $metadata = get_post_meta($row->id, '_wp_attachment_metadata', true); if ( ( $row->id = intval($row->id) ) && $thumb_url = get_attachment_icon_src( $row->id ) ) $thumb_url = htmlspecialchars($thumb_url[0]); else { $wpuploads = wp_upload_dir(); if ($metadata['file']) { $path_parts = pathinfo($metadata['file']); $datepath = $wpuploads['baseurl'] . "/" .$path_parts['dirname']; } $thumb_url = htmlspecialchars($metadata['sizes']['thumbnail']['file'] ? ($datepath . '/' . stripslashes($metadata['sizes']['thumbnail']['file']) ) : "/wp-includes/images/crystal/interactive.png"); } print " <track> <location>" . ( $row->guid ? htmlspecialchars($row->guid) : ( $wpuploads['baseurl'] . '/' . $metadata['file'] ))."</location> <creator>" .( $metadata['_ti_bbm_artist'] ? htmlspecialchars($metadata['_ti_bbm_artist']) : "" )."</creator> <album>" . ( $metadata['_ti_bbm_album'] ? htmlspecialchars($metadata['_ti_bbm_album']) : "" ). "</album> <image>$thumb_url</image> <title>" . ( $row->track ? htmlspecialchars($row->track) : "No title" ) . "</title> <annotation>Type:" .$wpdb->escape($row->post_mime_type) .";</annotation> <info>" . $wpdb->escape($metadata['_ti_bbm_linkTo']) ."</info> <trackNum>" . $wpdb->escape($metadata['_ti_bbm_tracknum']) ."</trackNum> <duration>" . $wpdb->escape($metadata['_ti_bbm_duration']) ."</duration> <meta><description>" . htmlspecialchars(stripslashes($row->post_excerpt)) . "</description></meta> </track> "; } } } print<<<__END_OF_XML__ </trackList> </playlist> __END_OF_XML__ ; ?> ############################################# # # Hassan Shakeri - Mohammad Habili # # Twitter : @ShakeriHassan - Fb.com/General.BlackHat ##########################################################