# Exploit Title: Cart66 Lite WordPress Ecommerce 1.5.1.17 Blind SQL Injection # Date: 29-10-2014 # Exploit Author: Kacper Szurek - http://security.szurek.pl/ http://twitter.com/KacperSzurek # Software Link: https://downloads.wordpress.org/plugin/cart66-lite.1.5.1.17.zip # Category: webapps 1. Description Cart66Ajax::shortcodeProductsTable() is accessible for every registered user. $postId is not escaped correctly (only html tags are stripped). File: cart66-lite\models\Cart66Ajax.php public static function shortcodeProductsTable() { global $wpdb; $prices = array(); $types = array(); $postId = Cart66Common::postVal('id'); $product = new Cart66Product(); $products = $product->getModels("where id=$postId", "order by name"); $data = array(); } http://security.szurek.pl/cart66-lite-wordpress-ecommerce-15117-blind-sql-injection.html 2. Proof of Concept Login as regular user (created using wp-login.php?action=register):
Blind SQL Injection:
This SQL will check if first password character user ID=1 is “$”. If yes, it will sleep 5 seconds. 3. Solution: Update to version 1.5.2 https://wordpress.org/plugins/cart66-lite/changelog/ https://downloads.wordpress.org/plugin/cart66-lite.1.5.2.zip