May 19

Analyzing The Photograph Gallery by 10Internet SQL Injection Vulnerability

WordPress Vulnerabilities

0  comments

This post was originally published on this site

On May 15th, 2020, a SQL injection vulnerability for the Photo Gallery plugin by 10Web (with 300k+ energetic installations) was published by way of a researcher at Sunlight* Cyber Security Research. Not really immediately after this, we observed a rise in SQL injection episodes against WordPress websites.

Attack information of the Photo Gallery by 10Web from WebARX

As you can observe from the graph above, the attacks had been spiking on, may 16th at 10 PM and could 17th at 7 AM. During the spike, the strike count raised as higher as 1158 on the 16th and 1168 on the 17th. After 12 AM on 17th Might the attacks began to lower ending with 2 attacks on the 17th at 12 AM.

Evaluation Of The Strike

After an analysis, it appears that a malicious user is trying to find sites which have a vulnerable version of the plugin installed. We discovered the Write-up payload below being delivered 19 000 times against WordPress websites over an interval of roughly 36 hrs.

[action] => bwg_frontend_data
[bwg_research_0] => 1# %DFGDFG"))/**/UNION/**/ALL/**/SELECT/**/TABLE_SCHEMA,TABLE_NAME,'','','','','','','','','','','','',''/**/as/**/dummy_3/**/from/**/details_schema.tables#FGDFGDFG))#
[gallery_kind] => album_compact_preview
[kind_0] => album

This payload appears to perform basic UNION SQL injection attack that will try to inject different data in to the result group of the query that your malicious user may use to determine in case a vulnerable version of the plugin is, actually, running on the website.

All requests were delivered with exactly the same user broker: Mozilla/5.0 (Home windows NT 6.1; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0.
Several IP addresses were found in the attack, the very best 10 are the following:

  1. 104.131.54.12 – United states – DigitalOcean
  2. 92.53.66.50 – Russia – OOO System of data-facilities Selectel
  3. 54.36.181.42 – France – OVH SAS
  4. 54.36.197.5 – France – OVH SAS
  5. 51.83.70.152 – France – OVH SAS
  6. 51.178.9.174 – France – OVH SAS
  7. 54.38.38.128 – France – OVH SAS
  8. 37.17.168.148 – Hungary – Szervernet Ltd
  9. 192.254.68.134 – United states – Centrilogic
  10. 188.166.189.164 – Singapore – DigitalOcean

Evaluation Of The Plugin

The payload above helps it be clear that the problem resides in the wp_ajax_bwg_frontend_information and wp_ajax_nopriv_bwg_frontend_information AJAX actions which both call a function frontend_information which calls a chain of other functions which ultimately results in the file that’s susceptible to SQL injection: /frontend/versions/design.php.

Within this file, there exists a function called get_image_rows_data which utilizes the bwg_lookup_* parameter. From the payload utilized by the malicious consumer, we are able to see that it really is in fact where in fact the issue resides. Information from the user-provided bwg_search_* parameter was utilized straight in the SQL query which triggered this SQL injection vulnerability to can be found.

If we have a look at the differences between edition 1.5.54 and 1.5.55 of the plugin here, you can view that the patched version provides the using the $wpdb->prepare functionality which mitigates the vulnerability.

Timeline

May 15th: Vulnerability was disclosed
Might 15th: Vulnerability was patched in version 1.5.55
May 16th: Attacks detected contrary to the vulnerability

If you’re concerned your website may be hacked, please be sure to follow the WordPress malware removal guide or get quick professional help with this WordPress malware removal service.

The post Analyzing The Photo Gallery by 10Web SQL Injection Vulnerability appeared first on WebARX.

About the author 

WP Maintain Support Protect

You may also like

HOW EXACTLY TO Fix Error “Preventing Achievable Attempt To Enumerate Customers” (2 Easy Ways)

Top 5 SHARED ENVIROMENT Security Risks (And PREVENTING Them)

A WHOLE Guide to Site Blacklist Removal

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!