Wordpress flash album gallery Plugins SQL Vulnerability.

Published
Credit
Risk
2017.04.23
Ashiyane Digital Security Team
Medium
CWE
CVE
Local
Remote
CWE-89
N/A
No
Yes
Dork: inurl:"/wp-content/plugins/flash-album-gallery/"

############################################
# Exploit Title : Wordpress flash album gallery Plugins SQL Vulnerability.
# Exploit Author : Ashiyane Digital Security Team
# Google Dork : inurl:"/wp-content/plugins/flash-album-gallery/"
# Date : 2017 22 April
# CVE : N/A
# Tested On : Linux - sqlmap
# Category : Web Application
# Software Link : https://downloads.wordpress.org/plugin/flash-album-gallery.zip
############################################
Wordpress flash album gallery Plugins Have a SQL Vulnerability , Valid String Column And Current DB
Research by Ashiyane Digital Security Team
Location : Directory/wp-content/plugins/flash-album-gallery/flagframe.php?i=[Vulnerability]
############################################
<?php if(file_exists(dirname(__FILE__) . '/flag-config.php')){
require_once( dirname(__FILE__) . '/flag-config.php');
} else if(file_exists(dirname(__FILE__) . '/wp-load.php')){
require_once( dirname(__FILE__) . '/wp-load.php');
}
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?>; charset=<?php bloginfo('charset'); ?>" />
<title><?php bloginfo('name'); ?> <?php if ( is_single() ) { ?> &raquo; Blog Archive <?php } ?> <?php wp_title(); ?> - <?php bloginfo('description'); ?> </title>
</head>
<body style="margin: 0; padding: 0;">
<div id="page">
<?php
wp_enqueue_scripts();
wp_print_scripts(array('jquery', 'swfobject'));
?>
<?php $flag_options = get_option('flag_options');
if(isset($_GET['l'])) {
$linkto = intval($_GET['l']);
} else {
$posts = get_posts(array("showposts" => 1));
$linkto = $posts[0]->ID;
}
if(isset($_GET['i'])) {
$skin = '';
if(isset($_GET['f']) && false === strpos($_GET['f'], '..') ){
$skin = sanitize_flagname($_GET['f']);
$skinpath = trailingslashit( $flag_options['skinsDirABS'] ).$skin;
}
$h = isset($_GET['h'])? intval($_GET['h']) : (int) $flag_options['flashHeight'];

$gids = $_GET['i'];
if($gids=='all') {
/** @var $flagdb flagdb */
global $flagdb;
$gids='';
$orderby=$flag_options['albSort'];
$order=$flag_options['albSortDir'];
$gallerylist = $flagdb->find_all_galleries($orderby, $order);
if(is_array($gallerylist)) {
foreach($gallerylist as $gallery) {
$gids.='_'.$gallery->gid;
}
$gids = ltrim($gids,'_');
}
} else {
$gids = explode('_',$gids);
$mapping = array_map('intval', $gids);
$gids = implode('_',$mapping);
}

if($gids){

echo flagShowFlashAlbum($gids, $name='Gallery', $width='100%', $height=$h, $skin, $playlist='', $wmode='opaque', $linkto); ?>

<?php
do_action('flag_footer_scripts');
wp_print_scripts(array('flagscroll', 'flagscript'));
?>

<?php }
} ?>

<?php
if(isset($_GET['m'])) {
$file = sanitize_flagname($_GET['m']);
$playlistpath = $flag_options['galleryPath'].'playlists/'.$file.'.xml';
if(file_exists($playlistpath))
echo flagShowMPlayer($file, $width='', $height='', $wmode='opaque');
else
_e("Can't find playlist");
}
?>
<?php
if(isset($_GET['v'])) {
$height = isset($_GET['h'])? intval($_GET['h']) : '';
$width = isset($_GET['w'])? '100%' : '';
$file = sanitize_flagname($_GET['v']);
$playlistpath = $flag_options['galleryPath'].'playlists/video/'.$file.'.xml';
if(file_exists($playlistpath))
echo flagShowVPlayer($file, $width, $height, $wmode='opaque');
else
_e("Can't find playlist");
}
?>
<?php
if(isset($_GET['mv'])) {
$height = isset($_GET['h'])? intval($_GET['h']) : '';
$width = '100%';
$mv = intval($_GET['mv']);
echo flagShowVmPlayer($mv, $width, $height, $autoplay='true');
}
?>
<?php
if(isset($_GET['b'])) {
$file = sanitize_flagname($_GET['b']);
$playlistpath = $flag_options['galleryPath'].'playlists/banner/'.$file.'.xml';
if(file_exists($playlistpath))
echo flagShowBanner($file, $width='', $height='', $wmode='opaque');
else
_e("Can't find playlist");
}
?>
</div>
</body>
</html>
################################################
# Discovered By : Hassan Shakeri
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat - Me@Seravo.ir
###########################################################

References:

https://downloads.wordpress.org/plugin/flash-album-gallery.zip


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com