############################################################################################################
# Exploit Title  : Wordpress Plugin Tierra Billboard Manager SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Date           : 14-December-2015
# Vendor Homepage: https://wordpress.org
# Software Link  : https://wordpress.org/plugins/tierra-billboard-manager/
# Version        : 1.14
# Tested on      : Linux - Chrome
# CVE            : NONE
# MY HOME        : http://linux-zone.org
############################################################################################################
#
# Location : /wp-content/plugins/tierra-billboard-manager/tierra-billboard-playlist.php?id=[SQL]
#
############################################################################################################
<?php
header("Content-Type: text/html");
/*
if (isset($_GET['preview']) && $_GET['preview'] == 'true' )  {
  header("Content-Type: application/xml;charset=utf-8");
}  else  {
  header("Content-Type: application/xspf+xml;charset=utf-8");

}
*/


require_once('../../../wp-config.php');
require_once('../../../wp-settings.php');

global $wpdb, $_billboard_manager_db_version, $_billboard_manager, $baseurl, $pluginurl;

$_billboard_manager = $wpdb->prefix . "ti_billboard_manager";

$playlist_id = intval($_GET['id']);

$media_id = isset($_GET['media_id']) ? intval($_GET['media_id']) : -1;

$baseurl =  $_SERVER["QUERY_STRING"];

$pluginURL = WP_PLUGIN_URL;

if ($media_id <= 0)  {

  $sql = 'select title, image, tracks, creation_date, license from  ' . $_billboard_manager . ' where id = ' . $wpdb->escape($playlist_id);

}  else  {
  
  $sql = 'select id, post_title as title, "' . $media_id . '" as tracks, post_date as creation_date  from ' . $wpdb->posts . ' where id = ' . $media_id; 
  
}

$row = $wpdb->get_row($sql);

$license = $row->license ? htmlentities($row->license) : '';

$title = htmlentities(stripslashes($row->title));
$tracks = split (',' , $row->tracks);
$i = 0;


echo<<<__END_OF_HEADER__
<?xml version="1.0" encoding="UTF-8"?>
<playlist version="1" xmlns = "http://xspf.org/ns/0/">
  <title>$title</title>
  <creator>Tierra Billboard Manager</creator>
  <annotation>Playlist generated via Tierra Billboard Manager, part of the Tierra WordPress CMS Toolkit</annotation>
  <info>http://tierra-innovation.com/wordpress-cms/</info>
  <image>$pluginURL/tierra-billboard-manager/skin/brand.png</image>
  <license>$license</license>
  <date>$row->creation_date</date>
  <trackList>
__END_OF_HEADER__
;

$wpuploads = wp_upload_dir();

if ($row->tracks)  {
  foreach ($tracks as $track)  { 
    $sql = 'select id, post_title as track, guid, post_date, post_excerpt, post_modified from ' . $wpdb->posts . ' where id = ' . $track;

    $row = $wpdb->get_row($sql);
    
    if ($row) {
      $metadata = get_post_meta($row->id, '_wp_attachment_metadata', true);
  
  
      if ( ( $row->id = intval($row->id) ) && $thumb_url = get_attachment_icon_src( $row->id ) )
        $thumb_url =  htmlspecialchars($thumb_url[0]);
      else {
        $wpuploads = wp_upload_dir();
        if ($metadata['file'])  {
          $path_parts = pathinfo($metadata['file']);
          $datepath = $wpuploads['baseurl'] . "/" .$path_parts['dirname'];
        }
        $thumb_url =  htmlspecialchars($metadata['sizes']['thumbnail']['file']
          ?  ($datepath  . '/' . stripslashes($metadata['sizes']['thumbnail']['file']) )
          :  "/wp-includes/images/crystal/interactive.png");
      }
    
  
      
      print "
    <track>
      <location>" . ( $row->guid ? htmlspecialchars($row->guid) : ( $wpuploads['baseurl'] . '/' . $metadata['file']  ))."</location>
      
      <creator>" .( $metadata['_ti_bbm_artist'] ? htmlspecialchars($metadata['_ti_bbm_artist']) : "" )."</creator>
      <album>" . ( $metadata['_ti_bbm_album'] ? htmlspecialchars($metadata['_ti_bbm_album']) : "" ). "</album>
      <image>$thumb_url</image>
      <title>" . ( $row->track ? htmlspecialchars($row->track) : "No title" ) . "</title>
      <annotation>Type:" .$wpdb->escape($row->post_mime_type) .";</annotation>
      <info>" . $wpdb->escape($metadata['_ti_bbm_linkTo']) ."</info>
      <trackNum>" .  $wpdb->escape($metadata['_ti_bbm_tracknum']) ."</trackNum>
      <duration>" . $wpdb->escape($metadata['_ti_bbm_duration'])  ."</duration>
      <meta><description>" . htmlspecialchars(stripslashes($row->post_excerpt)) . "</description></meta>
      
    </track>
        ";      
    }
  }
}



print<<<__END_OF_XML__

  </trackList>
</playlist>  


__END_OF_XML__
;

?>
#############################################
#
#  Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan   -  Fb.com/General.BlackHat
##########################################################