[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Wordpress Photo Gallery 1.2.7 unauthenticated SQL injection

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Wordpress Photo Gallery 1.2.7 unauthenticated SQL injection
From: Brandon Perry <bperry.volatile@xxxxxxxxx>
Date: Mon, 12 Jan 2015 11:51:36 -0600

Wordpress Photo Gallery Unauthenticated SQL injection

Version 1.2.7 and likely prior of the Photo Gallery plugin (almost 500,000
downloads to date) are vulnerable to an unauthenticated boolean-based and
time-based blind SQL injection.



Vulnerable version:
https://downloads.wordpress.org/plugin/photo-gallery.1.2.7.zip



Within the following GET request, the order_by parameter, specifically, is
vulnerable.



GET
/wordpress/wp-admin/admin-ajax.php?tag_id=0&action=GalleryBox&current_view=0&image_id=1&gallery_id=1&theme_id=1&thumb_width=180&thumb_height=90&open_with_fullscreen=0&open_with_autoplay=0&image_width=800&image_height=500&image_effect=fade&sort_by=order&order_by=asc&enable_image_filmstrip=1&image_filmstrip_height=70&enable_image_ctrl_btn=1&enable_image_fullscreen=1&popup_enable_info=1&popup_info_always_show=0&popup_info_full_width=0&popup_hit_counter=0&popup_enable_rate=0&slideshow_interval=5&enable_comment_social=1&enable_image_facebook=1&enable_image_twitter=1&enable_image_google=1&enable_image_pinterest=0&enable_image_tumblr=0&watermark_type=none&current_url=p=1
HTTP/1.1

Accept-Language: en-US,en;q=0.5

Accept-Encoding: identity

Host: 172.31.16.30

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
Firefox/30.0

Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7

Connection: close

X-Requested-With: XMLHttpRequest

Pragma: no-cache

Cache-Control: no-cache,no-store

Referer: http://172.31.16.30/wordpress/?p=1



One thing to note is that the characters < and > are filtered to &lt; and
&gt;, respectively, so exploitation requires the use of the BETWEEN keyword
(see –tamper=between in sqlmap). It also requires that at least one gallery
have been created with at least one image. The module will attempt to
bruteforce a sufficient gallery ID if none is provided.



Attached is a small example module that will enumerate the tables and the
length of the values within the users table. A more weaponized version that
supports pulling the actual values and storing them is available on
ExploitHub (https://exploithub.com/catalog/product/view/id/571/).



Demo run of weaponized version:
https://gist.github.com/brandonprry/939bb8e969a57301ffc3

-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Attachment: wp_photogallery_users_example_sqli.rb
Description: Binary data

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Corel Software DLL Hijacking
Next by Date: Re: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure
Previous by thread: [FD] Corel Software DLL Hijacking
Next by thread: [FD] XSS Vulnerability in Fork CMS 3.8.3
Index(es):
- Date
- Thread