WordPress Tierra Billboard Manager 1.14 SQL Injection



EKU-ID: 5302 CVE: OSVDB-ID:
Author: Linux Zone Research Team Published: 2015-12-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


############################################################################################################
# Exploit Title  : Wordpress Plugin Tierra Billboard Manager SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Date           : 14-December-2015
# Vendor Homepage: https://wordpress.org
# Software Link  : https://wordpress.org/plugins/tierra-billboard-manager/
# Version        : 1.14
# Tested on      : Linux - Chrome
# CVE            : NONE
# MY HOME        : http://linux-zone.org
############################################################################################################
#
# Location : /wp-content/plugins/tierra-billboard-manager/tierra-billboard-playlist.php?id=[SQL]
#
############################################################################################################
<?php
header("Content-Type: text/html");
/*
if (isset($_GET['preview']) && $_GET['preview'] == 'true' )	{
	header("Content-Type: application/xml;charset=utf-8");
}	else	{
	header("Content-Type: application/xspf+xml;charset=utf-8");

}
*/


require_once('../../../wp-config.php');
require_once('../../../wp-settings.php');

global $wpdb, $_billboard_manager_db_version, $_billboard_manager, $baseurl, $pluginurl;

$_billboard_manager = $wpdb->prefix . "ti_billboard_manager";

$playlist_id = intval($_GET['id']);

$media_id = isset($_GET['media_id']) ? intval($_GET['media_id']) : -1;

$baseurl =  $_SERVER["QUERY_STRING"];

$pluginURL = WP_PLUGIN_URL;

if ($media_id <= 0)	{

	$sql = 'select title, image, tracks, creation_date, license from  ' . $_billboard_manager . ' where id = ' . $wpdb->escape($playlist_id);

}	else	{
	
	$sql = 'select id, post_title as title, "' . $media_id . '" as tracks, post_date as creation_date  from ' . $wpdb->posts . ' where id = ' . $media_id; 
	
}

$row = $wpdb->get_row($sql);

$license = $row->license ? htmlentities($row->license) : '';

$title = htmlentities(stripslashes($row->title));
$tracks = split (',' , $row->tracks);
$i = 0;


echo<<<__END_OF_HEADER__
<?xml version="1.0" encoding="UTF-8"?>
<playlist version="1" xmlns = "http://xspf.org/ns/0/">
	<title>$title</title>
	<creator>Tierra Billboard Manager</creator>
	<annotation>Playlist generated via Tierra Billboard Manager, part of the Tierra WordPress CMS Toolkit</annotation>
	<info>http://tierra-innovation.com/wordpress-cms/</info>
	<image>$pluginURL/tierra-billboard-manager/skin/brand.png</image>
	<license>$license</license>
	<date>$row->creation_date</date>
	<trackList>
__END_OF_HEADER__
;

$wpuploads = wp_upload_dir();

if ($row->tracks)	{
	foreach ($tracks as $track)	{ 
		$sql = 'select id, post_title as track, guid, post_date, post_excerpt, post_modified from ' . $wpdb->posts . ' where id = ' . $track;

		$row = $wpdb->get_row($sql);
		
		if ($row) {
			$metadata = get_post_meta($row->id, '_wp_attachment_metadata', true);
	
	
			if ( ( $row->id = intval($row->id) ) && $thumb_url = get_attachment_icon_src( $row->id ) )
				$thumb_url =  htmlspecialchars($thumb_url[0]);
			else {
				$wpuploads = wp_upload_dir();
				if ($metadata['file'])	{
					$path_parts = pathinfo($metadata['file']);
					$datepath = $wpuploads['baseurl'] . "/" .$path_parts['dirname'];
				}
				$thumb_url =  htmlspecialchars($metadata['sizes']['thumbnail']['file']
					?	($datepath  . '/' . stripslashes($metadata['sizes']['thumbnail']['file']) )
					:	"/wp-includes/images/crystal/interactive.png");
			}
		
	
			
			print "
		<track>
			<location>" . ( $row->guid ? htmlspecialchars($row->guid) : ( $wpuploads['baseurl'] . '/' . $metadata['file']  ))."</location>
			
			<creator>" .( $metadata['_ti_bbm_artist'] ? htmlspecialchars($metadata['_ti_bbm_artist']) : "" )."</creator>
			<album>" . ( $metadata['_ti_bbm_album'] ? htmlspecialchars($metadata['_ti_bbm_album']) : "" ). "</album>
			<image>$thumb_url</image>
			<title>" . ( $row->track ? htmlspecialchars($row->track) : "No title" ) . "</title>
			<annotation>Type:" .$wpdb->escape($row->post_mime_type) .";</annotation>
			<info>" . $wpdb->escape($metadata['_ti_bbm_linkTo']) ."</info>
			<trackNum>" .  $wpdb->escape($metadata['_ti_bbm_tracknum']) ."</trackNum>
			<duration>" . $wpdb->escape($metadata['_ti_bbm_duration'])  ."</duration>
			<meta><description>" . htmlspecialchars(stripslashes($row->post_excerpt)) . "</description></meta>
			
		</track>
				";			
		}
	}
}



print<<<__END_OF_XML__

	</trackList>
</playlist>	


__END_OF_XML__
;

?>
#############################################
#
#  Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan   -  Fb.com/General.BlackHat
##########################################################