Analyzing The Photo Gallery by 10Web SQL Injection Vulnerability

Published 13 September 2021
Updated 19 July 2023
Oliver Sild
CEO at Patchstack
Table of Contents

On May 15th, 2020, a SQL injection vulnerability for the Photo Gallery plugin by 10Web (with 300k+ active installations) was published by a researcher at Sun* Cyber Security Research. Not soon after this, we noticed an increase in SQL injection attacks against WordPress sites.

Attack data of the Photo Gallery by 10Web from Patchstack
Attack data of the Photo Gallery by 10Web

As you can see from the graph above, the attacks were spiking on May 16th at 10 PM and May 17th at 7 AM. At the time of the spike, the attack count raised as high as 1158 on the 16th and 1168 on the 17th. After 12 AM on 17th May the attacks started to lower ending with 2 attacks on the 17th at 12 AM.

After an analysis, it seems that a malicious user is attempting to find sites that have a vulnerable version of this plugin installed. We found the POST payload below being sent 19 000 times against WordPress sites over a period of roughly 36 hours.

[action] => bwg_frontend_data
[bwg_search_0] => 1# %DFGDFG\"))\/**\/UNION\/**\/ALL\/**\/SELECT\/**\/TABLE_SCHEMA,TABLE_NAME,'','','','','','','','','','','','',''\/**\/as\/**\/dummy_3\/**\/from\/**\/information_schema.tables#FGDFGDFG))#
[gallery_type] => album_compact_preview
[type_0] => album

This payload seems to perform a basic UNION SQL injection attack which will attempt to inject different data into the result set of the query which the malicious user can use to determine if a vulnerable version of the plugin is, in fact, running on the site.

All requests were sent with the same user-agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0.

Multiple IP addresses were used in the attack, the top 10 are as follows:

  1. 104.131.54.12 - USA - DigitalOcean
  2. 92.53.66.50 - Russia - OOO Network of data-centers Selectel
  3. 54.36.181.42 - France - OVH SAS
  4. 54.36.197.5 - France - OVH SAS
  5. 51.83.70.152 - France - OVH SAS
  6. 51.178.9.174 - France - OVH SAS
  7. 54.38.38.128 - France - OVH SAS
  8. 37.17.168.148 - Hungary - Szervernet Ltd
  9. 192.254.68.134 - USA - Centrilogic
  10. 188.166.189.164 - Singapore - DigitalOcean

The payload above makes it clear that the issue resides in the wp_ajax_bwg_frontend_dataand wp_ajax_nopriv_bwg_frontend_data AJAX actions which both call a function frontend_data which calls a chain of other functions which ultimately ends up in the file that is vulnerable to SQL injection: /frontend/models/model.php.

In this file, there is a function called get_image_rows_datawhich uses the bwg_search_* parameter. From the payload used by the malicious user, we can see that it is in fact where the issue resides. Data from the user-provided bwg_search_* parameter was used directly in the SQL query which caused this SQL injection vulnerability to exist.

If we take a look at the differences between version 1.5.54 and 1.5.55 of the plugin here, you can see that the patched version contains the usage of the $wpdb->prepare function which mitigates the vulnerability.

Timeline

May 15th: Vulnerability was disclosed
May 15th: Vulnerability was patched in version 1.5.55
May 16th: Attacks detected against the vulnerability

The latest in Security Advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu