Wordpress security

Analyzing The Photo Gallery by 10Web SQL Injection Vulnerability


May 19, 2020 by Dave Jong

On May 15th, 2020, a SQL injection vulnerability for the Photo Gallery plugin by 10Web (with 300k+ active installations) was published by a researcher at Sun* Cyber Security Research. Not soon after this, we noticed an increase in SQL injection attacks against WordPress sites.

Attack data of the Photo Gallery by 10Web from WebARX

As you can see from the graph above, the attacks were spiking on May 16th at 10 PM and May 17th at 7 AM. At the time of the spike, the attack count raised as high as 1158 on the 16th and 1168 on the 17th. After 12 AM on 17th May the attacks started to lower ending with 2 attacks on the 17th at 12 AM.

Analysis Of The Attack

After an analysis, it seems that a malicious user is attempting to find sites that have a vulnerable version of this plugin installed. We found the POST payload below being sent 19 000 times against WordPress sites over a period of roughly 36 hours.

[action] => bwg_frontend_data
[bwg_search_0] => 1# %DFGDFG\"))\/**\/UNION\/**\/ALL\/**\/SELECT\/**\/TABLE_SCHEMA,TABLE_NAME,'','','','','','','','','','','','',''\/**\/as\/**\/dummy_3\/**\/from\/**\/information_schema.tables#FGDFGDFG))#
[gallery_type] => album_compact_preview
[type_0] => album

This payload seems to perform a basic UNION SQL injection attack which will attempt to inject different data into the result set of the query which the malicious user can use to determine if a vulnerable version of the plugin is, in fact, running on the site.

All requests were sent with the same user agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0.
Multiple IP addresses were used in the attack, the top 10 are as follows:

  1. 104.131.54.12 – USA – DigitalOcean
  2. 92.53.66.50 – Russia – OOO Network of data-centers Selectel
  3. 54.36.181.42 – France – OVH SAS
  4. 54.36.197.5 – France – OVH SAS
  5. 51.83.70.152 – France – OVH SAS
  6. 51.178.9.174 – France – OVH SAS
  7. 54.38.38.128 – France – OVH SAS
  8. 37.17.168.148 – Hungary – Szervernet Ltd
  9. 192.254.68.134 – USA – Centrilogic
  10. 188.166.189.164 – Singapore – DigitalOcean

Analysis Of The Plugin

The payload above makes it clear that the issue resides in the wp_ajax_bwg_frontend_data and wp_ajax_nopriv_bwg_frontend_data AJAX actions which both call a function frontend_data which calls a chain of other functions which ultimately ends up in the file that is vulnerable to SQL injection: /frontend/models/model.php.

In this file, there is a function called get_image_rows_data which uses the bwg_search_* parameter. From the payload used by the malicious user, we can see that it is in fact where the issue resides. Data from the user-provided bwg_search_* parameter was used directly in the SQL query which caused this SQL injection vulnerability to exist.

If we take a look at the differences between version 1.5.54 and 1.5.55 of the plugin here, you can see that the patched version contains the usage of the $wpdb->prepare function which mitigates the vulnerability.

Timeline

May 15th: Vulnerability was disclosed
May 15th: Vulnerability was patched in version 1.5.55
May 16th: Attacks detected against the vulnerability

If you’re concerned that your website might be hacked, please follow the WordPress malware removal guide or get fast professional help with our WordPress malware removal service.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla