Wordpress Like Dislike Counter Plugin SQL Injection Vulnerability

vendor:

Like Dislike Counter for Posts Pages and Comments

by:

XroGuE

8,8

CVSS

CRITICAL

SQL Injection

CWE

Product Name: Like Dislike Counter for Posts Pages and Comments

Affected Version From: 1.2.3

Affected Version To: 1.2.3

Patch Exists: YES

Related CWE: N/A

CPE: a:wpfruits:like_dislike_counter_for_posts_pages_and_comments

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Win7, Linux

2014

WordPress Like Dislike Counter Plugin SQL Injection Vulnerability

A SQL injection vulnerability exists in the Wordpress Like Dislike Counter Plugin, versions 1.2.3 and below. The vulnerability is due to insufficient sanitization of user-supplied input to the 'post_id' and 'up_type' parameters of the 'ajax_counter.php' script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database.

Mitigation:

Upgrade to the latest version of the Wordpress Like Dislike Counter Plugin.

Source

Exploit-DB raw data:

#################################################################################################
#
# Title                : Wordpress Like Dislike Counter Plugin SQL 
Injection Vulnerability
# Risk                 : High+/Critical
# Exploit Author       : XroGuE
# Google Dork          : 
inurl:plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php 
  AND  plugins/pro-like-dislike-counter/ldc-ajax-counter.php
# Plugin Version       : 1.2.3
# Plugin Name          : Like Dislike Counter
# Plugin Download Link : 
http://downloads.wordpress.org/plugin/like-dislike-counter-for-posts-pages-and-comments.zip
# Vendor Home          : www.wpfruits.com
# Date                 : 2014/09/05
# Tested in            : Win7 - Linux
#
##################################################################################################
# This Vulnerability Available in Both Version of This Plugin (Free & 
Pro Version).
#
# PoC :
#
# 
http://localhost/wp/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php
#
# Vulnerable Page : ajax_counter.php
#
#	if (!$changedDir)$changedDir = 
preg_replace('|wp-content.*$|','',__FILE__);
#	include_once($changedDir.'/wp-config.php');
#	if(isset($_COOKIE['ul_post_cnt']))
#	{
#	$posts_present=$_COOKIE['ul_post_cnt'];
#	}
#	else
#	{
#	$posts_present=array();
#	}
#   // Here ------------------------> Inputs Not Filtered ! :|
#	$post_id=$_POST['post_id'];
#	$up_type=$_POST['up_type'];
#   // Here <------------------------
#	if($up_type=='c_like'||$up_type=='c_dislike')
#	{
#	$for_com='c_';
#	}
#	else
#	{
#	$for_com='';
#	}
#	if(!in_array($for_com.$post_id,$posts_present))
#	{
#	update_post_ul_meta($post_id,$up_type);
#	}
#	echo get_post_ul_meta($post_id,$up_type);
#
##################################################################################################
# POST 
wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php 
HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) 
Gecko/20100101 Firefox/31.0 AlexaToolbar/alxf-2.21
# Accept: */*
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Content-Type: application/x-www-form-urlencoded; charset=UTF-8
# X-Requested-With: XMLHttpRequest
# Referer: http://localhost/wp/
# Content-Length: 24
# Connection: keep-alive
# Pragma: no-cache
# Cache-Control: no-cache
# post_id=1&up_type=like
##################################################################################################
#
# Founded By : XroGuE
# Website    : http://www.Att4ck3r.ir
# E-Mail     : info[at]att4ck3r[Dot]ir
#
##################################################################################################