安全研究

安全漏洞
WordPress Video Gallery 插件'videogalleryrss.php' SQL注入漏洞

发布日期:2015-02-24
更新日期:2015-06-02

受影响系统:
WordPress Video Gallery < 2.8
描述:
BUGTRAQ  ID: 74882
CVE(CAN) ID: CVE-2015-2065

Video Gallery是WordPress网站的一个视频库插件。

Apptha WordPress Video Gallery (contus-video-gallery)插件2.8之前版本,videogalleryrss.php中存在sql注入漏洞,远程攻击者通过wp-admin/admin-ajax.php中rss操作内的vid参数,利用此漏洞可执行任意sql命令。

<*来源:Claudio Viviani
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

http://www.example.com/wp-admin/admin-ajax.php?action=rss&amp;amp;type=video&amp;amp;vid=[SQLi]


# Exploit Title : Wordpress Video Gallery 2.7 SQL Injection Vulnerability

# Exploit Author : Claudio Viviani

# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery

# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.7.zip

# Dork Google: inurl:/wp-admin/admin-ajax.php?action=rss
            

# Date : 2015-02-11

# Tested on : Windows 7 / Mozilla Firefox
              Linux / Mozilla Firefox        

######################

# Vulnerability Disclosure Timeline:

2015-02-08:  Discovered vulnerability
2015-02-09:  Vendor Notification
2015-02-10:  Vendor Response/Feedback
2015-02-10:  Vendor Send Fix/Patch
2015-02-11:  Public Disclosure

# Description

Wordpress Video Gallery 2.7 suffers from SQL injection


######################

# PoC

http://target/wp-admin/admin-ajax.php?action=rss&type=video&vid=[SQLi]


#####################

# Fix/patch sent by apptha's developer

File: videogalleryrss.php

Change line n.47

from:

        $vid             = filter_input(INPUT_GET,'vid');
to:

        $vid             = intval(filter_input(INPUT_GET,'vid'));

#####################

Discovered By : Claudio Viviani
            http://www.homelab.it
            info@homelab.it
            homelabit@protonmail.ch

            https://www.facebook.com/homelabit
            https://twitter.com/homelabit
            https://plus.google.com/+HomelabIt1/
        https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww

建议:
厂商补丁:

WordPress
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

https://wordpress.org/plugins/contus-video-gallery/changelog/

浏览次数:4091
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障