# Exploit Title: Simple Ads Manager 2.9.4.116 SQL Injection # Date: 30-12-2015 # Software Link: https://wordpress.org/plugins/simple-ads-manager/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description $whereClause and $whereClauseT and $whereClauseW and $whereClause2W are not escaped. File: simple-ads-managerad.class.php $aSql = " (SELECT @pid := sp.id AS pid, 0 AS aid, sp.name, sp.patch_source AS code_mode, @code_before := sp.code_before AS code_before, @code_after := sp.code_after AS code_after, @ad_size := IF(sp.place_size = "custom", CONCAT(CAST(sp.place_custom_width AS CHAR), "x", CAST(sp.place_custom_height AS CHAR)), sp.place_size) AS ad_size, sp.patch_code AS ad_code, sp.patch_img AS ad_img, "" AS ad_alt, 0 AS ad_no, sp.patch_link AS ad_target, 0 AS ad_swf, "" AS ad_swf_flashvars, "" AS ad_swf_params, "" AS ad_swf_attributes, "" AS ad_swf_fallback, sp.patch_adserver AS ad_adserver, sp.patch_dfp AS ad_dfp, 0 AS count_clicks, 0 AS code_type, IF((sp.patch_source = 1 AND sp.patch_adserver) OR sp.patch_source = 2, -1, 1) AS ad_cycle, @aca := IFNULL((SELECT AVG(sa.ad_weight_hits*10/(sa.ad_weight*$cycle)) FROM $aTable sa WHERE sa.pid = @pid AND sa.trash IS NOT TRUE AND {$whereClause} {$whereClauseT} {$whereClause2W}), 0) AS aca FROM {$pTable} sp WHERE {$pId} AND sp.trash IS FALSE) UNION (SELECT sa.pid, sa.id AS aid, sa.name, sa.code_mode, @code_before AS code_before, @code_after AS code_after, @ad_size AS ad_size, sa.ad_code, sa.ad_img, sa.ad_alt, sa.ad_no, sa.ad_target, sa.ad_swf, sa.ad_swf_flashvars, sa.ad_swf_params, sa.ad_swf_attributes, sa.ad_swf_fallback, 0 AS ad_adserver, 0 AS ad_dfp, sa.count_clicks, sa.code_type, IF(sa.ad_weight, (sa.ad_weight_hits*10/(sa.ad_weight*$cycle)), 0) AS ad_cycle, @aca AS aca FROM {$aTable} sa WHERE sa.pid = @pid AND sa.trash IS FALSE AND {$whereClause} {$whereClauseT} {$whereClauseW}) ORDER BY ad_cycle LIMIT 1;"; http://security.szurek.pl/simple-ads-manager-294116-sql-injection.html 2. Proof of Concept
Administrator password will be here: {"success":true,"ad":"
","id":"1","pid":"%here_is_password%","cid":"c2077_1_%here_is_password%"} 3. Solution: Update to version 2.9.5.118 # Iranian Exploit DataBase = http://IeDb.Ir [2016-01-03]